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Introducing  UnityOne: 


The  Active  Network  Defense  System  that 
protects  networks  at  2  Gbps. 

UnityOne  is  a  security  breakthrough.  It  is  an  ultra-high 

performance  active  network  defense  system  that  blocks 

network  attacks  before  critical  resources  are  damaged. 


Full  2  Gbps  Network  Defense  System 

Software-based  solutions  running  on  Pentium™,  SPARC,  or 
MIPs  processors  are  too  slow  to  offer  real-time  network 
defense.  UnityOne  is  built  on  custom  security-specific  processors 
designed  for  ultra-high-speed  network  security  applications. 

Stops  Worms,  Viruses, 
Trojans,  Blended  Threats,  DDoS 

Blocks  thousands  of  attack-types  based  on 
absolute  attack  filters. 

Digital  Vaccine™  Update  Service 

Digital  Vaccines™  are  developed  and  delivered  by 
TippingPoinfs  Threat  Management  Center  which  monitors  over 
10,000  sensors  around  the  world  to  rapidly  inoculate  UnityOne 
systems  against  first-strike  attacks. 

High  Availability  Mode 

Active-Active  Redundant  Protection 

Up  to  40  Physical  Security  Zones 

Prevents  both  external  and  internal  attacks.  Security  policies 
can  be  set  to  protect  by  user,  department  and  site. 


Zone  1 

Web  Servers 

Zone  2 

Intranet 

Zone  3 

Wireless  Services 


Zone  40 

Engineering  Dept 


Firewall 


Protect. 


Active  Network  Defense 


Corporate  LAN 


UnityOne  becomes  a  seamless  element  of  the  network 
infrastructure  -  shooting  down  Internet  and  Intranet 
attacks  in  real-time.  In  delivering  pre-emptive  network 
defense,  UnityOne  is  unyielding  to  hostile  information 
attacks.  Worms,  viruses,  trojan  horses,  blended 
threats,  multi-headed  threats,  hybrid  attacks,  DoS  and 
DDoS  attacks  are  all  vanquished  at  2  gigabits  per  second. 


Active  Network  Defense  Architecture 


Copyright  ©  2002  TippingPoint  Technologies.  UnityOne  is  a  trademark  of  TippingPoint  Technologies 
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UnityOne  Defends  at  2  Gbps 

UnityOne  performs  high-speed  packet  and  flow  reassembly,  stateful  inspection, 
packet  classification  and  unanchored  content  searching.  The  following  table 
shows  UnityOne's  performance  in  terms  of  Intel "  Pentium®  Equivalents  (PE). 


A  Level  of  Security  Beyond  the 
Firewall  and  IDS 

Network  defense  systems  are  an 

emerging  class  of  products  that 

significantly  improve  network  security. 


Packet  Size 

UnityOne” 

Pentium  Equivalents*(PE) 

64  bytes 

(Fragmented  Attacks) 

78  PE 

384  bytes 

42  PE 

(Avg.  Enterprise  Packet  Size) 

1500  bytes 

(Max  IP  Packet  Size) 

21  PE 

’Intel®  Pentium®  III  1GHZ,  768  MB  RAM  when  applied  to  Intrusion  Blocking. 
Performance  metrics  derived  from  NSS  Group  -  Europe's  foremost  independent 
network  and  security  testing  organization. 


UnityOne's  processing 
capabilities  include: 

TCP  session  flow  reassembly 

IP  and  UDP  fragment  reassembly 

Session  state  tracking  at  250,000 
sessions  per  second 

Application  layer  protocol  decoding 

Full  regular  expression  matching 
across  multiple  packets 
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Fast  Protection  Program 

Aggressive  cyber-attacks  are  accelerating. 
The  TippingPoint  Fast  Protection  Program  is 
a  no-risk  network  lock-down  program. 

Once  qualified,  UnityOne  is  installed  in  your 

network  for  30  days.  At  the  end  of  the 

testing  period,  UnityOne  is  purchased  and 

kept  in  place  or  the  system  can  be  returned. 

To  enroll  in  the  TippingPoint 

Fast  Protection  Program, 

call  a  TippingPoint  Security  Specialist  at 

1-88UNITYONE  or 

visit  www.tippingpoint.com 


UnityOne  strengthens  the  effectiveness  of  firewalls  by 
blocking  hostile  traffic  that  has  infiltrated  open  ports.  And 
while  IDS  products  are  somewhat  useful  in  cleaning  up 


UnityOne 

from  TippingPoint  Technologies 


post-attack  damage,  the  amount  of  information 
and  alerts  they  generate  can  be  overwhelming. 
But  with  UnityOne,  blocked  attacks  cause  no 
damage.  Period. 


All  other  trademarks  are  the  property  of  their  respective  owners.  All  rights  reserved. 
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The  company  that  pioneered  enterprise 
security  just  revolutionized  it. 


Symantec  Integrated  Security 

Integrated 

Integrated 

Gateway  Security 

Client  Security 

Intrusion  Detection 

Intrusion  Detection 

Firewall/VPN 

Firewall 

Content  Filtering 

Virus  Protection 

Virus  Protection 

Management 

Management 

Introducing  the  secure  enterprise.  Before  the  Internet,  before 
laptops,  before  e-anything,  Symantec™  was  protecting  companies 
from  virus  attacks  and  malicious  code.  But  today's  world  Is  radically 

different.  Threats  have 
become  more  complex, 
dangerous  and  costly; 
and  security  that 
was  once  considered 
adequate  is  now  rightly 
seen  as  incomplete 
and  vulnerable.  Now 
a  revolutionary  solution  has  arrived.  Symantec  Integrated  Security 
is  comprehensive  security  that  protects  your  entire  enterprise. 
Every  element  is  designed  to  work  together  as  a  seamless  and 
unified  system.  The  result  is  more  efficient  management,  quicker 
response  to  new  threats  and,  ultimately,  better  protection  for  your 
whole  company — from  your  gateway  with  Symantec™  Gateway 
Security,  to  your  clients  with  Symantec™  Client  Security.  It's  a  new 
way  to  understand  and  create  the  truly  secure  enterprise.  Join  the 
revolution.  Visit  http://ses.symantec.com/USB000A8VDl  or  call 
800-/45-6054  for  our  free  White  Paper,  “Integrated  Security- 
Creating  the  Secure  Enterprise !’ 
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Bob  Degen,  senior  VP  for 
corporate  security  at  First 
Data,  warns  workers 
about  wobbly  wireless 
security.  PAGE  44 


m 


COLUMNS 

26  Balancing  Risk  and  Responsibility 

SECURITY  COUNSEL  Contra  Costa  County  CISO  Kevin 
Dickey  answers  readers’  questions  about  security  in 
local  government. 

28  Domesticating  the  Database 

FLASHPOINT  Our  law,  ethics  and  privacy  columnist 
weighs  in  on  protecting  the  corporate  information 
assets.  By  David  H.  Holtzman 

58  A  Little  Chin  Music 

CSO  UNDERCOVER  You’ll  need  to  learn  to  cover  your 
bases  if  you  want  to  become  an  ace  CSO. 

By  Anonymous 


30  Cover  Story  The  Big  Fix 

SOFTWARE  APPLICATION  SECURITY  Insecure  software  is 
forcing  vendors  to  do  what  they’ve  never  done  before: 
make  good  software.  By  Scott  Berinato 

38  You’re  Certif  iable 

SECURITY  CERTIFICATION  Are  security  certifications  all 
they’re  cracked  up  to  be?  Here’s  your  guide  through  the 
jungle  of  acronyms.  By  Simone  Kaplan 

44  How  to  Rope  In  Rowdy  Technologies 

SECURING  THE  INFRASTRUCTURE  Four  technologies  have 
CSOs  rewriting  their  security  policies  and  reaching  for 
the  Maalox.  Here’s  why  they’re  causing  such  havoc. 

By  Daintry  Duffy 

52  Keep  It  Simple  (That's  the  Hardest 
Thing) 

INTERVIEW  Management  consultant  Patrick  Lencioni 
talks  to  Cardinal  Health’s  John  Hartmann.  Together  they 
tackle  tough  questions  on  a  tough  problem:  effective 
management  in  security. 

Cover  photo  by  IN  EVERY  ISSUE  6  CSOonline.com 

Ed  Caldwell 


8  Letter  from  the  Editor 


10  Advisers  66  Index 


DEPARTMENTS 

15  Briefing 

The  operating  system  voted  most  hackable;  Viral 
tendencies;  The  eyes  have  it;  Now  scan  this;  Science  is 
golden;  Freedom  of  expression:  Denied. 

24  Wonk 

Wireless  surveillance:  The  military  cracks  down  on 
using  handhelds.  By  Julie  Hanson 


61  Machine  Shop 

Anti-social  engineering:  Lessons  from 
reading  Mitnick.  By  Simson  Garfinkel 


68  Debriefing 

Viruses:  Shaken,  not  stirred 


4  www.csoonline.com  October  2002 


c 


YOU'RE  PROTECTED  AGAINST  HACKERS,  VIRUSES  AND  WORMS. 

BUT  WHAT  ABOUT  ROSE  IN  BENEFITS? 


eTrust '  Security  Solutions 

Complete  protection  for  your  entire  enterprise. 

When  it  comes  to  protecting  your  business,  you  need  security  that  can  protect  your 
enterprise  from  potential  threats,  no  matter  where  they  may  come  from.  That's  exactly 
what  eTrust  does.  Our  family  of  products  allows  you  to  not  only  safeguard  your  entire 
enterprise,  but  also  view  and  manage  that  security  either  centrally  or  from  multiple 
delegated  locations.  So  you  can  continue  to  grow  and  maximize  new  opportunities 
while  minimizing  your  risk.  And  that's  security  you  can  feel  secure  about. 


Computer  Associates™ 


HELLO  TOMORROW*  |  WE  ARE  COMPUTER  ASSOCIATES  |  THE  SOFTWARE  THAT  MANAGES  eBUSINESS" _ ca.com/etrust/complete 
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certifications  on 
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value  they  provide. 
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Up  the  Revolution 


In  August,  CSO’s  sister  publication,  CL 0,  held  a  conference 
in  Colorado  Springs.  One  of  the  speakers  was  Stanford  Univer¬ 
sity  economist  Brian  Arthur,  who  spent  an  exceptionally  lucid 


hour  debunking  management  guru  Peter  Drucker’s  assertion  that  the  informa¬ 
tion  revolution  has  come  to  an  end.  Arthur  buttressed  his  bullish  argument 
with  examples,  from  industrial  history,  of  other  large-scale  transformations 
that  stalled  and  languished  after  celebrated  early  stages.  In  each  case,  the 
becalmed  revolution  eventually  got  its  second  wind,  fulfilling  the  vision  of  its 
early  potential.  (Arthur  spoke  at  length  about  the  railroading  craze  in  England 
in  the  middle  1800s,  which  boasted  an  irrationally  exuberant  stock-valuation 
bubble  not  unlike  our  own  recent  dotcom  one.) 

In  making  his  comparisons,  Arthur  provided  a  plausible  context  in  which  to 
understand  the  present  technology  market  doldrums.  Information  technology, 
he  said,  now  finds  itself  in  a  state  of  development  comparable  to  that  of  the 
automobile  in  the  early  1900s,  when  it  lacked  adequate  brakes,  windshield 
wipers,  headlights,  an  internal  ignition  system  and— most  important— an 
interlaced  network  of  paved  roads  and  a  critical  mass  of  gas  stations  and  other 
amenities.  Arthur  calls  those  supporting  systems  “arrangement  of  use”  tech¬ 
nologies.  They,  in  short,  are  all  of  the  myriad  related  elements  that  make  a 
technology  safe  and  comfortable  to  adopt  for  the  broadest  population  of  users. 
In  the  case  of  the  automobile,  it  would  take  until  the  1950s,  many  decades  after 
its  invention,  before  that  “arrangement  of  use”  infrastructure  was  fully  in  place. 

“Until  we  stop  noticing  technology,”  said  Arthur,  “we  will  not  have  achieved 
that  goal.” 

One  thing  worth  noticing  about  much  of  today’s  technology  is  its  intrinsic 
lack  of  security.  Two  of  this  month’s  stories— Daintry  Duffy’s  “How  to  Rope  In 
Rowdy  Technologies”  (Page  44)  and  Scott  Berinato’s  “The  Big  Fix”  (Page  30)— 
take  different  angles  on  this  fundamental  problem:  Berinato  looks  at  security- 
driven  efforts  to  improve  software  quality  and  Duffy  looks  at  a  quartet 


of  bedeviling  infrastructural  hot  spots.  Only  when 
the  inherent  vulnerability  of  our  flawed  technology 
architectures  is  addressed  successfully  will  the 
“arrangements  of  use”  for  the  information  revolution 
be  complete. 

While  in  Texas  in  August  to  promote  our  new 
magazine,  I  met  with  David  Pulaski,  CEO  of  a  startup 
company  called  IM-Age  Software.  The  bit  before  the 
hyphen  stands  for  instant  messaging,  which  happens 
to  be  one  of  the  technologies  least  beloved  by  CSOs 
(see  Duffy’s  story).  Pulaski  talked  evangelistically  about 
his  solution,  which  entails  the  end-to-end  encryption  of 
instant  messages.  Finally  it  dawned  on  me  that  Pulaski 
is  interested  in  taming  the  unsavory  aspects  of  IM  not 
because  he  wants  to  make  your  lives  easier.  He’s  doing 
it  so  that  the  enterprise  market  for  IM  will  grow  much 
bigger,  much  faster.  He’s  an  IM  vendor,  not  a  security 
vendor.  Secure  IM  is  Pulaski’s  Trojan  horse  for  acceler¬ 
ating  acceptance  of  IM  by  the  CSOs  and  CIOs  who 
will  otherwise  cool  eager  users’ jets  unless  the  security 
issues  get  fixed.  Clearly,  Pulaski  has  recognized  the 
truth  of  Arthur’s  basic  point:  Revolutions  can’t  live  on 
revolutionaries  alone.  After  a  technology  is  invented, 
it  must  then  be  civilized. 

So  we  are  now  in  the  era  of  technology  civilization. 
And  CSOs  are  among  the  shock  troops  whose  work 
will  bring  the  information  age  into  its  next  renaissance. 

-Lew  McCreary 
mccrea  ry  @  coco,  com 
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You’re  the  king.  Strong.  Safe.  Protected.  Right?  Wrong. 

The  fact  is,  if  your  network  isn’t  protected  by  NetScreen,  you 
could  be  far  from  safe.  You  see,  technological  advances  don’t 
only  occur  in  the  corporate  world.  Predators  —  inside  and 
outside  your  network  —  have  also  made  leaps  and  bounds. 
Trojan  Horses.  Worms.  Nimda.  Code  Red.  Denial  of  Service 
attacks.  All  emerging  threats  that  many  legacy  security 
solutions  just  can’t  handle. 
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NetScreen  can.  NetScreen’s  line  of  purpose-built  security 

v  ' 

systems  and  appliances  has  the  flexibility  and  performance 
to  handle  new  threats.  And  evolve  with  them.  Keeping  not 
only  the  central  site  connected  and  secure,  but  also  your 
wireless  LANs  and  remote  offices.  NetScreen’s  solutions 
offer  integrated  VPN,  firewall  and  network  attack  blocking. 
All  of  which  are  key  to  keeping  predators  under  control. 
And  your  entire  enterprise  out  of  trouble.  Find  out  more 
about  securing  your  place  at  the  top.  Download  a  white  paper 
on  protecting  your  network  from  the  new  generation  of 
security  threats  at  www.netscreen.com/ad/na_cs. 


NetScreen 

Scalable  Security  Solutions 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


CSO  wishes  to  thank  the  following  individuals  for  serving  as 
our  editorial  Board  of  Advisers,  supplying  their  expertise  and 
guidance  to  CSO’ s  editors  * 


CHRIS  CHRISTIANSEN 

Program  Vice  President,  eBusiness 
Infrastructure  and  Security  Software 
IDC 

STEPHEN  E.  CROSS 

Director  and  CEO 
Software  Engineering  Institute  and 
CERT  Coordination  Center 
Carnegie  Mellon  University 

DAVID  CULLINANE 

CISO,  Washington  Mutual 
President,  Information  Systems 
Security  Association 

DOROTHY  DENNING 

Callahan  Family  Professor 
Computer  Science  Department 
Georgetown  University 

DANIEL  E.  GEER  JR. 

CTO,  @Stafce 

DAVID  M.  HAGER 

Vice  President,  Network  Security 
and  Disaster  Recovery 
Oppenheimer Funds 


JOHN  HARTMANN 

Vice  President  of  Security  and 
Corporate  Services,  Cardinal  Health 

STEVE  KATZ 

President,  Security  Risk  Solutions 

MICKI  KRAUSE 

CISO 

Pacific  Life  Insurance 

BRUCE  SCHNEIER 

CTO,  Counterpane  Internet  Security 

JOHN  TRITAK 

Director 

Critical  Infrastructure  Assurance  Office 

KRIZI  TRIVISANI 

Information  Security  Officer 
The  George  Washington  University 

JAMES  WADE 

CSO,  Federal  Reserve  System 
President,  ISC2 

ROBERT  WEAVER 

Assistant  Special  Agent  in  Charge 
Secret  Service  Electronic  Crimes  Task  Force 
New  York  City 


HOW  TO  REACH  US 
E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 
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Reprints  are  available  by  calling 
Reprint  Services  at  651  582-3834,  or  via  e-mail 
at  csoreprints@reprintservices.com. 


ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research, 
conferences  and  events,  informs  more  people 
about  technology  than  any  other  company  in  the 
world,  Offering  the  widest  range  of  media  options, 
IDG  reaches  more  than  120  million  technology 
buyers  in  85  countries  representing  95  percent  of 
worldwide  IT  spending.  IDG  publishes  more  than 
300  newspapers  and  magazines  in  85  countries, 
led  by  the  Computerworld,  Infoworld,  Macworld. 
Network  World,  PC  World  and  CIO  global  prod¬ 
uct  lines.  IDG  offers  online  users  the  largest  net¬ 
work  of  technology-specific  sites  around  the 
world  through  IDG.net  ( www.idg.net ),  a  gateway 
to  IDG's  330  websites  powered  by  more  than 
2,000  journalists  reporting  from  every  continent 
in  the  world.  IDG  also  produces  168  technology- 
related  conferences  and  events,  and  research 
company  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


*Their  participation  does  not  imply  an  endorsement  of  the  magazine’s  contents  or  opinions. 


“Early  on,  there  was  nothing  but  the  ROI 
question....  Fortunately,  after  four  years, 
we  re  kind  of  past  that.” 

-CARDINAL  HEALTH’S  JOHN  HARTMANN 
(SEE  “KEEP  IT  SIMPLE,”  PAGE  52) 
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AVAyA 

;  2002  Avaya  Inc  COMMUNICATION  WITHOUT  BOUNDARIES 


Secure  your  entire  network. 

Today  complete  security  means  protecting  data  and 
voice,  along  with  everything  else  your  network 


currently  includes.  Having  the  right  firewall  or  even 
securing  your  wireless  LAN's  and  VPN’s  for  data  is 
just  a  starting  point.  With  the  possibility  of  threats 
like  accessing  stored  voicemails  or  intercepting 
IP  Telephony  traffic  looming  over  your 
network,  you  need  complete  multi-vendor,  multi¬ 
technology,  multi-applications  security  consultancy. 
Protect  all  your  points. 

Introducing  the  Avaya  Enterprise  Security  Practice. 
Our  Security  Consultants  offer  expertise  in  voice,  data,  and 
converged  networks,  with  both  technology  and  vertical 
certifications.  Avaya  helps  secure  internal  and  external 
points  of  access,  including  IP  Telephony,  Messaging 
and  CRM,  as  well  as  VPN’s,  wireless  LAN’s  and  PBX’s. 


With  communications 
networks  now  made 
up  of  multiple  inter¬ 
connected  parts,  it’s  no  longer  safe  to  just  protect 
individual  pieces  of  them.  That’s  why  you  need 
Avaya,  the  company  that  can  assess,  develop  poli¬ 
cy  and  design  security  for  your  whole  network. 


Ensure  your  company’s  future. 

Don’t  leave  your  communications  network  unprotected. 
Prepare  for  today's  rapid  changes  in  network  security 
and  sign  up  for  our  Web  Event  at  avaya.com/secure 


INFRASTRUCTURE 


SECURITY 


2  ]  Get  the  winning  edge  with  team  IBM  -  a  leader  in  end-to-end  security 
solutions.  With  an  arsenal  of  global  security  experts  and  Business 
Partners,  self-managing  servers  and  Tivoli"  security  software,  you  can 
be  secure  on  a  Fort  Knox  scale. 


3  ]  For  more  Winning  Plays,  visit  ibm.com/e-business 


@  business  is  the  game.  Play  to  win. 
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Every  time  someone 
comes  to  your  door, 
a  decision  is  made. 

The  CCD  chip  behind 
the  lens  captures  an  image, 
and  the  microprocessor 
looks  for  a  match. 

One  second  later— 
access  permitted  or 
access  denied. 

The  iris  of  the  human  eye. 
Unique  as  a  snoujf  lake, 
more  absolute  than 
a  fingerprint.  Perfect  key, 
meet  the  perfect  lock. 

Get  in  at  umjiu.lgiris.com 


THERE'S  A  REASON 
LIARS.  THIEVES  AND  SPI 


ES  NEVER  MAKE 
CONTACT. 


Incidents  of  Defacement 


HACKING  Earlier  this  year,  Linux  Web  servers  were  getting  hacked  more 
often  than  systems  running  Microsoft  Windows,  but  now  Windows  once  again 
tops  the  list  of  most  targeted  online  operating  systems,  according  to  Mi2g,  a 
security  intelligence  company  in  London. 

Widely  publicized  vulnerabilities  in  popular  applications  for  Linux  led  to  a 
spike  in  defacement  of  websites  hosted  on  servers  running  Linux  in  April  and 
May.  However,  in  June  and  July  more  websites  hosted  on  Windows  systems 
were  successfully  attacked. 

“The  lesson  we  can  learn  is  that  it  is  difficult  to  say 
that  one  operating  system  is  more  vulnerable  than 
another.  It  depends  very  much  on  the  system  adminis¬ 
trator,  the  server  software  and  third-party  applica¬ 
tions,”  says  DK  Matai,  CEO  of  Mi2g. 

Just  because  Windows-based  sites  now  get 
hacked  into  more  does  not  mean  that  the  open- 
source  Linux  system  is  more  secure. 

“People  in  the  open-source  movement  have  this 
mythical  notion  that  they  are  more  secure,  that  there  is 
some  kind  of  security  through  obscurity.  But  that  is  no 
longer  true  as  more  and  more  systems  run  open-source  software,”  he  says. 

Forrester  Research  analyst  Laura  Koetzle  believes  Mi2g’s  figures  mask  a 
more  serious  problem.  “What  matters  is  not  that  one  was  compromised  more  in 
a  particular  month  but  when  the  vulnerabilities  were  discovered  and  how  long  it 
took  for  the  vulnerabilities  to  be  patched,”  she  says.  “Microsoft’s  job  is  to  make 
it  easier  to  patch  systems.”  -Joris  Evers 


May  ‘02  June  ‘02 

■  Linux  ■  Windows 
SOURCE:  Mi2g 


News 


Stats  and  Fast  Facts 
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Viruses  that  cripple  computers  and  the  viruses  that  afflict 
humans  share  more  than  just  a  name,  according  to  a 
study  titled  “Virtual  Virology"  by  Network  Associates  Inc. 
(NAI)  and  the  London-based  National  Institute  of  Medical 
Research  (NIMR). 

Both  medical  and  computer  viruses  comprise  large 
strings  of  basic  elements  that  together  form  a  complex 
organism.  Both  are  masters  of  disguise  and  use  similar 
techniques  to  hide.  And  just  like  a  computer  virus,  a 
medical  virus  travels  around  the  globe  from  east  to  west. 
The  study  found  that  the  human  immune  system  and 
antivirus  software  even  work  in  a  similar  way  to  fight 
viruses;  both  learn  from  previous  infections  about  how  to 
fight  new  ones. 

While  the  similarities  between  the  medical  and  com¬ 
puter  viruses  may  be  the  most  striking  part  of  the  study, 
NAI  and  the  NIMR  view  the  data  as  a  starting  point  to 
improve  the  way  both  types  of  virus  researchers  work.  For 
example,  medical  virus  researchers  have  recognized  cri¬ 
teria  to  place  biological  viruses  in  internationally  accepted 
hazard  groups,  whereas  antivirus  companies  have  their 
own  methods  of  categorizing  the  same  viruses,  adding 
unnecessary  confusion  to  the  situation.  On  the  other 
hand,  computer  virus  researchers  collect  virus  informa¬ 
tion  faster  than  medical  researchers.  Although  a  faster 
pace  is  endemic  to  the  technology  world,  the  medical 
world  could  attempt  to  emulate  this  pace  and  improve 
its  research  methods  through  computerization. 

Now,  if  only  computer  viruses  could  be  cured  by  a 
little  chicken  soup.  -J.E. 


The  Operating  System 
Voted  Most  HacKable 


Viral  Tendencies 


Percentage  of  security 
executives  who  are 
unsure  whether  their 
company’s  insurance 
covers  cybercrime 
losses. 


SOURCE:  CSO  S  SECURITY  SENSOR  SURVEY 
“THE  EVOLUTION  OF  THE  CHIEF  SECURITY 
OFFICER."  JULY  2002 


ILLUSTRATION  BY  JESSICA  ALLEN 
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BIOMETRICS 

The  Eyes  Have  It 

A  new  iris-scanning  security  device  at  the  Pentagon  Athletic  Center 
(POAC)  is  aiming  to  improve  security  and  relieve  staffers  from  carrying 
access  cards.  Launched  by  the  Department  of  Defense’s  Biometrics  Man¬ 
agement  Office  (BMO)  this  summer,  the  project  is  part  of  the  BMO's  Quick 
Look  program  in  which  it  tests  and  evaluates  various  off-the-shelf  biomet¬ 
ric  products  for  the  DoD. 

This  particular  project  uses  Iridian  Technologies’  IrisAccess  2000, 
which  scans  and  verifies  a  user’s  identity  using  the  subtle  details  of  his 
eye’s  iris.  POAC  members  need  to  simply  look  at  a  mirrored  camera  from  a 
distance  of  3  inches  to  10  inches.  The  system  instantaneously  grants 
access  if  a  match  is  identified  in  the  database.  Enrollment  is  voluntary,  and 
signing  up  is  as  simple  as  capturing  a  user’s  ID  info  and  an  iris  scan  and 
entering  it  into  the  IrisAccess  system. 

Once  the  last  phase  of  the  three-phase  testing  is  complete  at  the  end  of 
this  month,  the  BMO  and  DoD  will  evaluate  the  system  and  gather  feed¬ 
back  from  the  200  (and  counting)  users  who  signed  on,  says  Margo  Eng¬ 
lish,  project  lead  for  the  POAC  biometric  testing  project.  “The  system 
provides  an  extra  layer  of  security  than  what  the  current  procedures  pro¬ 
vide  at  the  POAC,”  he  says.  “It  will  also  add  a  level  of  confidence  and  con¬ 
venience  for  the  users.”  The  POAC  site  was  chosen  because  of  the  varied 
demographics  (the  combination  of  rank,  race  and  sex)  of  the  Pentagon 
staffers  who  use  the  center.  And  with  no  ID  card  to  remember,  those  staf¬ 
fers  now  won’t  have  any  excuse  for  skipping  their  workout.  -Tom  Wailgum 


CSO  SURVEY  EXCLUSIVE 


Who  poses  the  greatest  security 
threat  to  your  company’s 
infrastructure? 


10% 

FORMER 
EMPLOYEES 


EXTERNAL  PERSONS  NOT 
EMPLOYED  BY  YOUR 
ORGANIZATION 

28% 


CURRENT 

EMPLOYEES 


UNSURE 


SOURCE:  CSO’ S  SECURITY  SENSOR  SURVEY  "THE  EVOLUTION 
OF  THE  CHIEF  SECURITY  OFFICER,”  JULY  2002.  RESULTS  BASED 
ON  THE  RESPONSES  OF  1,009  SECURITY  PROFESSIONALS.  COM¬ 
PLETE  SURVEY  RESULTS  CAN  BE  FOUND  ONLINE  AT 
WWW.CSOONLINE.COM/PRINTUNKS. 


Now  Scan  This 

E-MAIL  Preventing 
viruses  and  worms  from 
entering  e-mail  systems  is 
becoming  more  challeng¬ 
ing  as  viruses  continue  to 
get  smarter.  However,  a 
relatively  new  alternative 
to  that  is  outsourcing 
e-mail  scanning. 

"We  were  using  an 
antivirus  tool,  and  new 
viruses  were  still  getting  by 
and  hitting  our  systems. 

We  looked  at  gateway  tools 
but  concluded  that  it  was 
more  work  than  it  was 
worth  for  our  small  IT 
staff,"  says  Chris  Moni- 
catti,  director  of  technol¬ 
ogy  services  at  the 


Minnesota  Wild  National 
Hockey  League  team. 

All  e-mail  to  and  from 
Minnesota  Wild  is  now 
scanned  by  MessageLabs. 
Messages  are  scanned  with 
two  e-mail  scanning  prod¬ 
ucts  and  investigated  by  a 
proprietary  tool. 

This  growing  interest  in 
e-mail  scanning  can  be 
chalked  up  to  the  fact  that 
companies  are  more  dili¬ 
gent  now  than  a  year  ago 
in  protecting  themselves 
against  viruses,  says  Mau- 
rene  Caplan  Grey,  research 
director  at  Gartner.  Out¬ 
sourcing  e-mail  scanning  is 
not  different  from  out¬ 
sourcing  any  other  part  of 
IT,  Grey  says.  "There  are 


organizations  that  are 
unable  to  manage  their 
internal  environment  or 
that  have  a  fractured  envi¬ 
ronment  with  disparate 
offices  with  their  own 
e-mail  gateways.  Outsourc¬ 
ing  may  be  less  costly  in 
such  cases.”  Gartner  fur¬ 
ther  advises  companies  to 
install  scanning  tools  from 
different  vendors  at  the 
firewall,  at  the  e-mail 
server  and  at  the  desktop. 
"One  vendor  is  going  to  be 
first  to  provide  the  signa¬ 
ture  to  catch  a  new  virus,” 
says  Grey,  so  companies 
stand  a  better  chance  of 
being  protected  if  they  rely 
on  multiple  solutions. 

-J.E. 
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Security 


Paul  L.  Greene 

Director  of  Information  Security 

NeuStar,  Inc. 
www.neustar.biz 

NeuStar  operates  the 
registry  of  all  North  American 
telephone  numbers,  the  database 
that  North  American  carriers  use 
to  route  billions  of  telephone 
calls  daily  and  run  both 
the  .us  and  .biz 
registries. 


f  veu Stars  unique  service  and  position  in  the  telecommunications  industry  make  it  a  target  of  attacks.  We  need  rock 
solid’  security  and  a  vendor  who  understands  what  that  means.  CyberGuard  was  the  first  in  the  world  to  achieve  EAL4 
certification  for  its  firewall  appliances;  that  really  impressed  us.  •  * 

“We  knew  they  would  be  capable  of  providing  the  level  of  sophisticated  security  support  we  needed  and  we  have  not  been 
disappointed;  their  technical  support  team  knows  security  and  CyberGuard’s  ability  to  deliver  on  everything  they  promised 
enabled  us  to  meet  our  tight  deadline  for  deliverables.  Today,  we  have  CyberGuard’s  firewall  appliances  in  three  countries. 

7  have  an  experienced  team,  but  on  more  than  one  occasion  I  had  to  enlist  the  help  of  a  junior  engineer  to  install  the  firewall. 
I  was  able  to  talk  them  through  the  process  over  the  phone.  I’m  happy  to  report  that  those  systems  Ijave  been  functioning  in 
a  production  environment  for  over  one  year  without  a  hitch.  And  CyberGuard  rocks  the  competition  in  the  performance  impact 
category." 


CyberGuard’s  security  solutions  are  found  in  Fortune  1000  companies  and  governments 
worldwide.  CyberGuard's  award-winning,  premium  firewall/VPN  appliances  maintain 
complete  separation  of  network  traffic  from  system  components. 


CYBERGUARD" 


WORLDWIDE 


DEFEND  YOUR  DOMAIN 


Phone:  954.958.3878  •  e-mail:  info@cyberguard.com  •  For  white  papers  on  Rock  Solid  Security  go  to:  www.cyberguard.com/rocksolid.cfm 
Copyright  2002  CyberGuard  Corporation.  All  rights  reserved. 


Philip  J.  Kaplan  Wants 
to  Read  Your  Mail 


Phil  Kaplan,  the  entrepreneur  behind  F**kedcompany.com,  the 
website  that  documented  the  dotcom  demise,  has  a  new  site  that 
is  guaranteed  to  make  corporate  executives  and  CSOs  cringe. 
lnternalMemos.com  is  a  site  that  encourages  employees  to  post 
internal  corporate  communications  online  for  general  entertain¬ 
ment.  The  memos  range  from  a  message  warning  employees 
about  drug-taking  in  the  restrooms  (obviously  not  something  they 
want  their  customers  to  read  about)  to  far  more  mundane 
announcements  of  new  executive  appointments.  Some  of  the 
posted  messages  even  come  with  headers  that  warn  “Please  treat 
this  message  as  confidential  and  do  not  forward.”  As  the  volume  of 
communications  posted  on  the  site  makes  clear,  employees  aren’t 
paying  much  attention  to  those  admonitions,  and  Kaplan  doesn’t 
much  care  about  the  privacy  of  your  company’s  secrets.  CSO 
asked  Kaplan  recently  about  his  new  site  and  its  effect  on  corpo¬ 
rate  security. 


CSO:  What  gave  you  the  idea  to  start  lnternalMemos.com? 

Phil  Kaplan:  I  had  about  1,000  [corporate]  memos  sitting  around 
that  had  been  sent  to  me,  and  I  thought,  hey,  I  could  probably 
make  money  from  these. 


What  kind  of  feedback  have  you  received  from  the  companies 
whose  memos  you’ve  posted?  Has  anyone  tried  to 
shut  you  down? 

I  get  cease  and  desist  letters  all  the  time,  but 
they’re  usually  for  things  that  people  have 
posted  in  my  various  message  boards.  Gen¬ 
erally,  companies  don’t  have  a  problem  with 
my  sites  in  the  same  way  that  they  don’t  have 
»  ,  S'  I:  a  problem  with  The  Wall  Street  Journal. 


What  is  your  opinion  of  software  programs 
like  Rovia’s  ShareSafe  that  track  and  prevent 
the  forwarding  of  documents  and  e-mails  to 
sites  like  yours? 

It  doesn't  matter— people  will  figure 
out  how  to  forward  an  e-mail 
without  getting  caught. 


Would  you  ever  con¬ 
sider  not  posting  a 
memo  if  the  informa¬ 
tion  posed  an  eco¬ 
nomic  or  security 
threat  to  a  company? 

I  post  each  memo  on  a 
case-by-case  basis,  but, 
honestly,  I  don't  even 
read  most  of  them,  so  I 
don't  know  what’s  in  them. 


Phil  Kaplan  may  be 
the  only  one  amused 
by  his  latest  venture- 
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Communication  is 
5  better.  Now 
instead  ot  seeing 
security  attacks  on 

CNN  we  get  the 
information  first 

he 


-CHARLES  HENDERSON,  NATIONAL  GRID  USA  VICE 
PRESIDENT  AND  DIRECTOR  OF  CORPORATE  SECURITY, 

NEW  ENGLAND  AND  NEW  YORK 


Science  Is  Golden 

Many  of  the  nation’s  leading  scientists  and  engineers  say 
what’s  missing  in  the  fight  against  terrorism  is  research. 

“Making  the  Nation  Safer:  The  Role  of  Science  and 
Technology  in  Countering  Terrorism,”  a  report  by  118 
leading  researchers  associated  with  the  National  Acad¬ 
emy  of  Sciences  (NAS),  serves  as  a  sort  of  call  to  arms— 
or  more  specifically  a  call  to  labs.  The  group  urges  new 
research  into  updating  everything  from  IT  systems  to 
defenses  against  threats  like  “dirty  bombs.” 

That  is  where  the  proposal  of  a  "homeland  security 
institute”  comes  in.  The  paper  suggests  that  a  full- 
fledged  research  facility  be  created  in  the  proposed 
Department  of  Homeland  Security,  complete  with  an 
undersecretary  of  science  and  technology  to  coordinate 
between  the  White  House,  the  National  Academies  and 
the  National  Institute  of  Health. 

There  are  two  ways  to  look  at  the  NAS  paper:  Either 
we  have  an  honest  effort  to  clarify  the  nation’s  goals  for 
the  purpose  of  making  us  safer,  or  we  have  an  honest 
effort  to  create  a  coherent  research  strategy  that  actually 
creates  more  bureaucracy  and  will  be  hard  to  pay  for. 

The  NAS  proposal  could  be  either,  or  both.  But  in  a 
telling  moment,  it  calls  for  serious  cooperation  between 
the  private  sector  and  government  researchers.  The  chal¬ 
lenges  that  kind  of  cooperation  has  posed  in  the  IT  sector 
with  efforts  like  the  Electronic  Crimes  Task  Force  and  the 
ISACs,  indicates  that  this  is  no  small  task. 

But  credit  NAS  with  ambitious  thinking,  even  if  its 
efforts  lead  to  naught.  -Scott  Berinato 


TREND 

MICRO 


If  left  alone,  technology  will  do  what  it  was 
originally  designed  to  do.  Nothing  more  and 
nothing  less.  Forever.  But,  in  reality,  every 
single  moment  of  every  single  day  is  as 
different  as  the  last.  ■  i 


Technology  cannot  prepare 
us  for  the  future. 

It  is  incapable  of  intuition. 


Intuition  is  the  application  of  knowledge  based  on  experi¬ 
ences,  patterns  and  trends.  Only  when  technology  is 
combined  with  the  human  ability  to  create  new  strategies 
can  information  be  protected.  Intuitive  Information  Security 
melds  human  intuition  and  adaptive  technology  together  to 
create  evolving  strategies.  Ones  able  to  protect  information 
and  anticipate  threats  across  the  entire  network  instantly. 
Now,  and  well  into  the  future.  For  more  information,  visit 
trendmicro.com/go-red. 
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First  Step: 
Understand  the 
Problem 

WEB  MONITORING  H  i  My 

name's  Bob,  and  I’m  an  Internet 
addict." 

If  you’re  not  monitoring  what  your 
employees  are  doing  online,  a  recent 
survey  of  worker's  Web  habits  should 
make  you  reconsider.  The  "Web@- 
Work  Survey  2002:  Cyber-Addiction 
in  the  Workplace,”  conducted  by 
Harris  Interactive  and  commissioned 
by  Websense,  polled  305  employees 
and  250  HR  managers  about 
employees’  online  activities.  It  found 
that  workers  spend  more  than  one 
full  workday  each  week  surfing  web¬ 
sites  unrelated  to  their  job.  The  sur¬ 
vey  also  found  that  25  percent  of 
employees  surveyed  feel  that  they 
are  actually  addicted  to  the  Internet. 

Interestingly,  while  companies 
tend  to  focus  on  blocking  employee 
access  to  the  more  lascivious  pur¬ 
suits  of  Internet  pornography  and 
gambling,  the  surveyed  employees 
identified  tamer  activities  as  being 
the  most  addictive  in  the  work¬ 
place." 

-Daintry  Duffy 


Freedom  of 
Expression: 

Hackers  and  software  pirates  can  no 
longer  rely  on  Internet  service  providers 
to  protect  their  freedom  of  expression. 
According  to  new  laws  passed  in  Europe 
and  the  United  States,  ISPs  will  now  be 
required  to  take  an  active  role  in  prevent¬ 
ing  illegal  activity  from  occurring  on  their 
servers.  Case  in  point:  After  prompting 
from  piracy  monitors  at  the  Business 
Software  Alliance  (BSA),  a  Finnish  judge 
ordered  the  Jippii  Group,  a  Finland-based 
ISP,  to  shut  down  a  customer's  website 
that  allegedly  helped  visitors  obtain  and 
use  pirated  software.  The  court  order  fol¬ 
lowed  repeated  requests  by  the  BSA  for 
Jippii  to  dismantle  the  site,  requests  Jip¬ 
pii  ignored  until  the  BSA  could  defini¬ 
tively  prove  that  the  site  was  providing 
visitors  with  activation  numbers  required 
to  bootleg  popular  software  programs. 

Until  recently,  ISPs  could  not  be  held 
legally  accountable  for  their  customers’ 
online  activities,  but  the  Jippii  case 
shows  a  change  in  the  international  view 
of  ISP  liability.  Now,  ISPs  can  be  taken  to 
court  for  negligence  and,  if  the  charges 
are  proven,  the  ISP  must  pay  damages. 
Though  ISPs  have  traditionally  cooper¬ 
ated  with  authorities  in  hacking  or  piracy 
cases,  they  have  often  drawn  the  line  at 
delving  into  online  content  disputes. 


Many  ISPs  arelcritical  of  laws  including 
the  Digital  Millennium  Copyright  Act  in 
the  United  State's  and  the  European  par¬ 
liament’s  directive  on  privacy  in  elec¬ 
tronic  communications,  which  require 
ISPs  to  take  down  sites  immediately  fol¬ 
lowing  notification  of  illegal  activity, 
because  the  onus  is  placed  on  the  ISP 
and  not  the  website  publisher.  The  BSA 
disagrees,  says  Beth  Scott,  vice  president 
of  BSA  Europe.  “We  hope  this  particular 
case  sends  a  strong  message  to  ISPs,” 
she  says.  “We  will  take  action  if  ISPs 
behave  irresponsibly." 

What  the  issue  of  responsibility  comes 
down  to  is  the  fact  that  ISPs  are  identifi¬ 
able,  they're  easy  to  find,  and  they  have 
money.  But  the  reason  organizations  like 
the  BSA  should  go  after  ISPs  is  because 
they  have  the  power  to  change  the  Inter¬ 
net  security  landscape,  says  Alan  Paller, 
director  of  research  at  the  SANS  Institute. 
“The  real  problem  is  that  users  don’t 
know  and  don’t  care  about  security,”  he 
says.  ISPs  should  audit  the  security  of  the 
websites  they  host.  “Not  the  content,  just 
the  security— like  cars  are  inspected 
every  year  for  driveability,”  he  says, 

"They  can  lay  down  the  law  and  say  if  you 
don’t  run  a  safe  computer,  you  can’t  be 
online.”  -Simone  Kaplan 


Besides  e-mail,  what  kind  of  Web 
content  do  your  employees  feel  is 
most  addictive? 

Shopping  24% 

News  23% 

Pornography  18% 

Other/None  of  above  13% 

Gambling  8% 

Not  sure  8% 

Auctions  6% 

SOURCE:  WEBSENSE  "WEB@W0RK  SURVEY  2002: 

CYBER  ADDICTION  IN  THE  WORKPLACE." 


The  Security  Management  Index 

Security  issues  are  getting  the  attention  of  executive  boards  everywhere,  mainly  because  of  the  dramatic  growth 
in  the  number  and  kinds  of  threats  to  information  and  physical  security.  To  help  CSOs  benchmark  their  security 
management  efforts  and  then  translate  today's  International  Organization  for  Standardization  standards  into  a 
best-practices  security  program,  the  Human  Firewall  Council  has  developed  an  online  survey,  called  the  Security 
Management  Index  (SMI). 

The  entire  survey  requires  approximately  30  minutes  to  complete.  Results  are  immediate  in  the  form  of  an 
SMI  score  that  is  compared  to  other  organizations  that  have  taken  the  survey.  Results  are  confidential,  and  each 
survey  participant  is  provided  with  a  user  ID  and  password  to  access  results  online.  Once  the  survey  has  col¬ 
lected  feedback  from  at  least  500  participants,  a  "Management  Guide  to  Building  an  Enterprise  Security  Pro¬ 
gram”  will  be  produced  using  aggregate  data  from  the  survey  to  identify  trends.  CS0  will  publish  the  results  in 
an  upcoming  issue. 

For  more  information  or  to  take  the  survey,  go  to  www.humanfirewall.org/smi. 
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Securing  Your  Success 


Voice:  732.577.8100 


There’s  a  reason  why  we  are  the  leader 
in  Information  Security  Recruitment. 

That’s  all  we  do. 


www.ljkmhner.com 


BUT  NOT  THE  PREDICTABLE  ONES. 


According  to  leading  industry  analysts,  over  15%  of 
laptops  are  lost,  stolen  or  suffer  hardware  failure  each  year. 
With  up  to  40GB  h  ard  drives  common  these  days,  that’s  a  lot 
of  data  at  risk.  Yet  most  companies  still  only  think  of  hacking 
up  their  servers.  Which  leaves  all  that  data  on  all  those  PCs 
vulnerable.  (And  don’t  even  get  us  started  on  the  perils  from 
hackers,  viruses,  losses,  and  user  errors.) 

What’s  a  CIO  to  do?  Prepare  for  the  absolute  worst  with 
the  absolute  best.  Connected  1  LM.  The  five-star-award- 
winning  software  that  hacks  up  and  recovers  anything  from  a 
single  file  to  an  entire  disk  image.  Laptop  or  desktop.  One 
or  100,000.  Continuously.  Transparently.  Completely.  To 
our  data  center  or  yours. 

So  no  matter  what  befalls  your  data,  or  where,  it  can  he 
entirely  restored.  In  a  breeze. 

CONNECTED’ 
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Visit  www.connected.com  or  call  800.934.0956  (toll  free  North  America)  Over  450  organizations  are 
now  covered  by  Connected.  These  include  Boeing,  Cisco  Systems,  Citgo  Petroleum,  EMC,  Gap  Inc., 
Goodrich,  Hewlett-Packard,  Koch  Industries,  PeopleSoft,  Silicon  Graphics,  U.S.  Postal  Service  and  Verizon. 
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The  Who,  What  and  Why  of  Washington 

Top  Billing 

NEWS  FROM  INSIDE  THE  BELTWAY 


Not  So  Hands-Free 


A  new  directive  from  the  Department 
of  Defense  questions  the  security  of 
wireless  devices  (see  story,  left). 


The  military  cracks  down  on  handhelds  to  prevent  unintended 
communication  with  the  enemy  By  Julie  Hanson 


HERE  ARE  more  than  3  mil¬ 
lion  civilian  and  military  personnel  in  the 
U.S.  Department  of  Defense  (DoD),  and  as 
you  can  imagine,  selecting  what  technologies 
and  tools  they  use  to  communicate  top-secret 
information  is  a  big  priority.  While  wireless 
applications  may  have  the 
support  of  the  private  sector, 
the  military  has  questioned 
their  security,  distributing 
an  interim  proposal  to  halt 
the  use  of  certain  wireless 
devices  and  services. 

According  to  a  spokesper¬ 
son  for  the  DoD,  the  wireless 
applications  in  question  are 
not  cell  phones  but  third- 
generation  devices  such  as 
handheld  organizers  and 
other  applications  that  use 
wireless  technologies,  which 
may  or  may  not  live  up  to 
the  security  requirements  of  the  DoD. 

Another  concern  of  the  DoD  is  that  some 
wireless  devices  emit  constant  signals,  some¬ 
times  without  the  knowledge  of  the  user. 

That  means  the  enemy  could  locate  military 
personnel  or  tap  in  to  conversations.  For 
example,  John  Stenbit,  CIO  and  assistant  sec¬ 
retary  of  command,  control,  communications 
and  intelligence  for  the  DoD,  used  a  wireless 
signal  scanner  and  detected  outgoing  signals 
during  a  recent  meeting  with  top  military 
compatriots.  One  by  one,  meeting  attendees 
turned  off  their  wireless  devices,  but  the  scan¬ 
ner  still  detected  signals.  Offending  devices 
had  to  be  removed  from  the  room  to  ensure 
that  top-secret  military  information  wasn’t 
being  disseminated  to  the  enemy.  “This  is 
not  just  a  matter  for  the  DoD  but  perhaps 
the  whole  business  community,”  says  DoD 
spokesman  Lt.  Col.  Ken  McClellan. 
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Soldiers  in  the  field  use  handhelds 
to  send  and  receive  information. 


For  now,  DoD  personnel  must  stop  using 
all  unapproved  wireless  devices  or  face  puni¬ 
tive  damages.  The  DoD  has  yet  to  finalize  a 
list  of  which  devices  are  OK  and  which  are 
not;  in  the  interim,  personnel  are  asked  to 
use  common  sense.  McClellan  acknowledges 
that  this  directive  will 
have  a  significant  impact 
on  military  personnel 
worldwide,  limiting  their 
communication  tools.  But 
more  important,  the 
directive  ensures  protec¬ 
tion  for  the  DoD  informa¬ 
tion  grid. 

“There  will  be  an 
impact  on  those  using  the 
devices  now,  but  military 
personnel  need  to  think 
about  where  they  are 
using  these  devices  and 
who  they  are  communi¬ 
cating  with,”  says  McClellan.  The  interim 
directive  is  a  placeholder  for  a  final  policy  on 
wireless  usage  to  be  developed  in  part  by  the 
National  Security  Agency.  The  new  policy  is 
expected  to  mandate  a  national  standard  for 
wireless  usage  within  the  government  and 
military. 

Even  wireless  advocates  agree  that  right 
now  not  all  wireless  products  are  secure 
enough  for  government  use.  Cellular  Tele¬ 
communications  &  Internet  Association 
spokesman  Travis  Larson  calls  the  DoD’s  move 
a  necessaiy  step.  Larson  says  that  all  users 
should  be  securing  their  wireless  applications, 
and  if  devices  or  systems  are  not  secure,  they 
should  find  a  patch  or  limit  use.  ■ 


For  more  on  WIRELESS  security,  see  "How  to  Rope  in 
Rowdy  Technologies,”  Page  44. 


A  House  bill  titled  Federal  Agency 
Protection  of  Privacy  Act  (H.R. 
4561)  will  require  federal  agencies  to 
put  together  a  privacy  impact  analysis 
before  approving  new  regulations.  The 
analysis  must  detail  how  individuals’ 
privacy  will  be  impacted,  what  personal 
information  will  be  collected,  and  how 
that  information  will  be  maintained, 
used  and  disclosed.  Citizens  will  have 
access  to  their  information  and  be 
allowed  to  change  inaccuracies. 

A  Washington  attorney  and  executives 
from  two  security  companies,  Versar 
and  Haynes  Security,  have  joined  to 
form  the  Homeland  Security  Indus¬ 
tries  Association,  an  organization 
designed  to  recommend  how  govern¬ 
ment  and  industry  can  work  together  on 
critical  homeland  security  areas.  More 
than  60  companies  have  been  active  in 
forming  this  nonprofit  organization. 

A  new  report  released  by  the  Elec¬ 
tronic  Privacy  Information  Center 
and  London-based  Privacy  Inter¬ 
national  finds  that  laws  protecting  pri¬ 
vacy  in  the  workplace  are  gaining 
support  around  the  world.  The  report 
also  found  that  countries  are  increasing 
their  communications  surveillance  and 
profiling  of  individuals  while  weakening 
data  protection  regimes.  More  than 
50  countries  took  part  in  the  study. 

Rep.  Howard  Berman  (D-Calif.)  has 
introduced  a  bill  (H.R.  5211)  to  protect 
software  developers  from  copyright 
infringement  on  publicly  accessible 
peer-to-peer  (P2P)  networks. 
Berman  suggests  that  P2P  downloads 
constitute  copyright  infringement  for 
creators,  including  photographers,  film 
producers  and  songwriters.  This  bill  will 
permit  the  development  of  technologies 
to  stop  that  piracy  but  not  impair  P2P 
networks. 
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1  ]  WIN  WITH  SECURITY:  It  isn’t  always  about  hackers,  e-business 
security  must  also  ensure  that  only  the  right  users  (within  and 
outside  of  your  company)  get  the  right  information  at  the  right  time. 

2]  WIN  WITH  TIVOLI:  Whether  it’s  granting  access  to  customers  or 
CEOs  on  PDAs,  Tivoli  Security  Management  software  centrally 
secures  and  manages  your  network  across  multiple  platforms.  Tivoli. 
Part  of  our  software  portfolio  including  DB2?  Lotus®  and  WebSphere® 

3]  MAKE  THE  PLAY:  Visit  ibm.com/tivoli/secure  for  a  white 
paper  on  how  Tivoli  Security  Management  can  maximize  your  ROI. 


SECURITY 

MANAGEMENT 

PLAY 


@  business  is  the  game.  Play  to  win. 


MERGER 


BIG  CHEESE 


leje,  the  e-business  logo  and  e-busiriess  is  the  game.  Play  to  win  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  tl 

BM  Corporation.  All  rights  reserved. 


United  States 


Balancing  Risk  and 
Responsibility 

Contra  Costa  County  CISO  Kevin  Dickey  answers  readers’ 
questions  about  security  in  local  government 
Edited  by  Kathleen  Carr 


Q:  Local  government  uses  a  lot  of  commercial  off- 
the-shelf  software.  How  do  you  manage  the  risk  of 
an  attack  originating  in  a  third-party  application? 

A:  Historically,  most  hacks  can  be  linked  to  old, 
known  vulnerabilities.  I  cannot  stress  enough  that 
IT  staffers  need  to  get  on  all  the  vulnerability  and 
threat  mailing  lists  to  track  the  solutions  for  the 
architecture  that  they  maintain.  I  know  how  much 
information  that  is— but  it’s  important.  You  have  to 
stay  on  top  of  patches. 

If  necessary,  there  are  niche  vendors  surfacing 
that  will  do  this  for  you.  They  know  your  infrastruc¬ 
ture,  and  they  monitor  the  various  advertised  and 
unadvertised  vulnerabilities  in  your  deployed  sys¬ 
tems,  and  either  make  the  updates  and  patches  for 
you  or  pass  the  information  to  your  technical  staff. 

Another  consideration  is  the  old  concept  of  main¬ 
taining  development,  test  and  production  environments. 

Q:  How  are  you  addressing  the  federally  mandated— but  minimally  funded  at 
the  local  level— requirements  for  homeland  security? 

A:  The  homeland  security  efforts  are  still  addressing  the  first  responders’  ini¬ 
tiatives  and  are  not,  unfortunately,  addressing  the  bigger  picture  of  prevention 
efforts.  I’m  partnering  with  our  first  responders,  the  sheriff,  fire  and  health-care 
organizations,  in  order  to  leverage  their  funding  sources  (federal  and  state). 

As  we  did  in  the  Y2K  efforts,  where  IT  organizations  championed  the  “what  if’ 
efforts  and  then  shared  that  strategy  with  everyone  else,  including  the  first  respon¬ 
ders,  I’m  attempting  to  use  the  reverse  process.  That  is  to  say  I’m  making  the  con¬ 
nection  with  the  first  responders  to  have  them  recognize  that  we  all  need  to  share 
in  this  current  effort,  including  funding,  to  address  their  concerns  of  silo  databases, 
disparate  communications  and  GIS/GPS  enhancements.  They  need  us,  and  we 
need  them  to  make  this  work. 

I’m  also  looking  toward  the  federal  agencies  for  possible  grants— watching 
all  federal  and  state  legislation  for  possible  funding  opportunities— and  have 
begun  work  with  our  California  State  Association  of  Counties,  whose  prime 
goal  is  to  represent  county  government  before  the  California  legislature,  admin¬ 
istrative  agencies  and  the  federal  government. 


Q:  Does  your  responsibility  extend  to  the  critical  infra¬ 
structure  and  the  technology  that  supports  it,  and  if  so, 
do  you  have  outsourced  physical  security  monitoring 
and  outsourced  IT  security  monitoring? 

A:  My  responsibility  as  the  CISO  is  countywide, 
although  I  administratively  report  through  the  CIO.  It 
is  IT’s  responsibility  as  the  custodian  of  the  informational 
assets  to  ensure  that  the  owner’s  legal  and  moral  obliga¬ 
tion  to  protect  that  information  is  achieved.  Information 
security  on  the  other  hand  is  not  hands-on  per  se,  yet 
CSOs  must  be  the  jack-of-all-trades  in  the  IT  arenas  and 
also  know  the  business  issues,  including  physical  security, 
disaster  recovery  and  business  contingencies.  I  would 
make  the  statement  (by  policy  or  through  a  directive) 
that  critical  infrastructure  must  be  maintained,  and  then 

the  various  IT  staff  would  work 
with  their  customers  (informa¬ 
tion  owners)  to  determine 
what  is  critical,  how  that  infra¬ 
structure  must  be  maintained 
to  ensure  legal  obligations,  busi¬ 
ness  continuity  and  disaster 
recovery. 

Our  physical  security  is 
centralized  through  our  general 
service  department  with  alert 
monitoring  internally  and  with 
alerts  to  an  outsourced  moni¬ 
toring  vendor.  The  physical 
monitoring  we  engage  in 
is  indeed  24/7/365.  Logical 
monitoring  is  the  responsibility 
of  the  various  IT  entities 
throughout  the  county  as  each  department  has  some  IT 
responsibilities.  The  wide  area  network  administration 
is  all  done  in-house,  in  a  centralized  IT  department, 
including  the  monitoring. 

Information  security  has  governance  over  the 
domains  of  access  control  systems  and  methodology; 
telecommunications  and  network  security;  business 
continuity  and  disaster  recovery  planning;  security 
management  practices;  security  architecture  and 
models;  law,  investigations  and  ethics;  application  and 
systems  development;  cryptography;  computer  opera¬ 
tions  security;  and  physical  security.  ■ 

Kevin  Dickey  is  the  CISO  for  Contra  Costa  County,  Calif. 


Have  a  security  topic  to  suggest  or  an  expert  you’d  like  to 
hear  from?  Send  your  thoughts  to  csoletters@cxo.com. 

Go  online  to  see  what  your  peers  are  discussing  at 
www.csoonline.com/counsel. 
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Workplace  Violence 


Information  Loss 


Employee  Backgrounds 
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Surveillance 
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Risk  Liability 
Bio-Terrorism 


Unspecified  Threats 


Access  Control 


Safety 


Theft 


ARE  YOU  STILL  RELYING  ON  TRADITIONAL  SECURITY? 


The  world  has  changed.  As  security  professionals,  we  now  have  to  be  prepared  for  anything,  including  the  unspecified  and  the 

jBpr  ••  ,  -il  I  y.':’ 

unthinkable.  It’s  an  enormous  responsibility,  but  one  that  doesn’t  have  to  be  yours  alone.  We  understand  how  your  job  is  more 
important  now  than  ever  before,  and  we  want  to  help.  Let  us  get  to  know  your  business  and  your  concerns.  Then  we’ll  draw  from 
the  broadest  range  of  products  and  experience  available,  including  the  latest  in  digital  video  and  access  control.  All  to  create  a  solution 
that  meets  the  unique  security  needs  of  your  company.  Getting  in  touch  is  easy.  Just  call  us  at  1-  877-258-6424  or  visit  adt.com. 


And  when  everybody  looks  to  you  for  peace  of  mind,  look  to  us.  ADT.  Always  there. 
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Domesticating  the 
Database 

Our  law,  ethics  and  privacy  columnist  weighs  in  on 
protecting  the  corporate  information  assets 

By  David  H.  Holtzman 


T  NEVER  CEASES  TO  AMAZE  me  that  companies  know  where  every 
potted  tree  in  the  building  is  situated,  yet  have  no  idea  what  is  planted  in  their  com¬ 
puter  systems.  I’m  talking  about  the  enterprise  databases— the  most  valuable 
asset  a  company  has.  The  information  contained  in  these  data¬ 
bases  will,  if  properly  cared  for,  yield  a  bountiful  sales  harvest  for 
many  years.  So  why  are  they  tended  by  hourly  employees  who  have 
no  stake  in  the  company?  Where  is  the  oversight? 

Corporate  data  should  be  the  second-best  guarded  part  of  an 
organization  (after  the  employees).  How  much  of  a  company’s 
assets  are  locked  up  in  these  databases?  A  good  rule  of  thumb  is  that 
each  active  customer  record  in  a  database  is  worth  whatever  the 
acquisition  cost  would  be  to  replace  that  customer,  usually  $20  and 
up  depending  on  the  industry. 

Databases  are  not  only  valuable  for  producing  revenue,  but  if 
mishandled,  they  can  cause  incalculable  damage  to  a  company. 

Yet  very  few  companies  have  procedures  in  place  that  reflect  this 
economic  reality.  Ask  yourself  who  in  your  company  has  the  author¬ 
ity  to  sign  a  check  for  $10,000.  Now,  who  can  access  any  machine, 
database,  software  application  or  backup  tape  that  has  customer 
information  on  it?  If  they’re  not  the  same  person  or  don’t  have  at 
least  the  same  pay  grade,  you  have  a  problem. 

I  ran  engineering  and  ops  for  Network  Solutions  in  the  late  ’90s.  At  the  time, 
we  functionally  ran  the  domain  name  server  (DNS)  system  for  the  National  Sci¬ 
ence  Foundation  including  most  of  the  domain  name  system.  On  July  16, 1997,  a 
junior-level  administrator  made  a  clerical  error  that  caused  near  real-time  global 
outages  across  the  DNS  system.  Even  though  a  software  bug  had  originally  caused 
the  problem,  the  real  damage  occurred  when  the  “man  in  the  loop”  failed  and  the 
employee  transmitted  a  bad  file  that  was  automatically  loaded  by  other  servers. 
The  end  result  was  that  a  significant  percentage  of  people  around  the  world  were 
unable  to  surf  the  Web  or  use  e-mail.  We  fixed  it  quickly,  but  there  were  linger¬ 
ing  problems  for  days  and  the  company  received  a  great  deal  of  unfavorable 
media  attention.  Needless  to  say,  we  built  accountability  and  redundancy  into  the 
human  parts  of  the  operational  system  to  avoid  similar  problems  in  the  future. 

I  learned  a  lot  from  that  event,  and  I’ve  generalized  it  into  a  rule:  People  cause 
almost  all  database  glitches  because  they  put  the  information  into  the  system  and 
they  take  it  out  again.  To  effectively  control  enterprise  data,  you  need  to  control  the 
people  who  process  it.  The  most  effective  way  to  wield  that  control  is  through  a 


Any  good  data  security  process 
should  include  at  a  minimum: 


1.  A  complete  description  of  every  data¬ 
base  in  the  company 

2.  A  policy  that  outlines  how  the  com¬ 
pany  will  use  the  information  in  each  of 
those  databases 

3.  Who  in  the  company  by  title  can  use 
the  information  and  in  what  way 


4.  Who  by  name  has  the  authority  to 
make  exceptions 

5.  A  signed  list  of  all  exceptions 

6.  Regularly  scheduled  and  ad  hoc  audits 
for  compliance 


measurable,  unambiguous  process 
that  emphasizes  accountability. 

Management  of  this  process  is 
the  primary  function  of  the  chief 
security  officer.  It  is  the  most  effec¬ 
tive  way  for  CSOs  to  exert  their 
authority  across  the  entire  com¬ 
pany  with  minimal  staffing  expense. 

The  CSO  must  own  this  process  because  no  other  exec¬ 
utive  has  both  the  technical  knowledge  and  the  objectiv¬ 
ity  to  protect  the  shareholders’  assets.  The  CSO  should 
assist  senior  management  in  creating  policy,  work  with 
the  general  counsel  to  ensure  that  any  pertinent  legal 
issues  are  addressed,  conduct  the  audits  and  regularly 
report  the  results  to  the  board  of  directors. 

Putting  a  comprehensive  security  process  in  place  to 
manage  customer  data  is  like  fencing  an  orchard.  It 
encourages  orderly  growth,  clearly  defines  boundaries 
and  keeps  the  product  from  getting  plucked.  ■ 

David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  dholtzi* erols.com.  Send  feedback  and  col¬ 
umn  ideas  to  Senior  Editor  Daintry  Duffy  at  dduffy&cxo.com. 
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Use  a  password  to  protect  your  VPN  and 
your  critical  business  data  could  end  up  almost  anywhere. 

The  information  accessed  through  your  VPN  shouldn't  be  considered  banner  news.  But  too 
often,  it  is.  Because  the  only  thing  keeping  it  secure  is  a  single  password.  That  can  have 
damaging  effects  on  you,  your  customers,  your  partners,  even  your  bottom  line.  With 
the  RSA  SecurlD®  solution,  you'll  protect  your  critical  business  data  with  two-factor 
authentication,  securing  your  VPN  and  making  it  extremely  difficult  to  hack.  And  because 
VPN  providers  like  Checkpoint,  Nortel,  Lucent,  Cisco  and  dozens  of  others  design  their  VPNs  to 
RSA  Security,  you  can  be  sure  it  will  operate  simply  and  flawlessly  in  almost  any  environment. 
That  means  a  lot  less  worrying  about  where  your  confidential  information  might  show  up. 

To  receive  your  VPN  Security  Info  Kit  and  to  qualify  for  a  FREE  25-User  Trial  of  RSA  SecurlD 
two-factor  authentication,  go  to  www.rsasecurity.com/go/vpn-CSO.  Or  call  1-800-495-1095. 
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Insecure  software  is  forcing 
vendors  to  do  what  they’ve  never 
done  before:  make  good  software 


By  Scott  Berinato 


Let  s  start  where  conversations 
apo.ut  .software  usua,  ly  ena: 
Basically,  software  sucks. 

In  fact,  if  software  were  an  office  building,  it  would  be 
built  by  a  thousand  carpenters,  electricians  and  plumbers. 
Without  architects.  Or  blueprints.  It  would  look  spec¬ 
tacular,  but  inside,  the  elevators  would  fail  regularly. 
Thieves  would  have  unfettered  access  through  open  vents 
at  street  level.  Tenants  would  need  consultants  to  move 
in.  They  would  discover  that  the  doors  unlock  whenever 
someone  brews  a  pot  of  coffee.  The  builders  would  pro¬ 
vide  a  repair  kit  and  promise  that  such  idiosyncrasies 
would  not  exist  in  the  next  skyscraper  they  build  (which, 
by  the  way,  tenants  will  be  forced  to  move  into). 

Strangely,  the  tenants  would  be  OK  with  all  this. 
They’d  tolerate  the  costs  and  the  oddly  comforting  rhythm 
of  failure  and  repair  that  came  to  dominate  their  lives.  If 
someone  asked,  “Why  do  we  put  up  with  this  building?” 
shoulders  would  be  shrugged,  hands  tossed  and  sighs 
heaved.  “That’s  just  how  it  is.  Basically,  buildings  suck.” 

The  absurdity  of  this  is  the  point,  and  it’s  universal, 
because  the  software  industry  is  strangely  irrational  and 
antithetical  to  common  sense.  It  is  perhaps  the  first  indus¬ 
try  ever  in  which  shoddiness  is  not  anathema— it’s  sim¬ 
ply  expected.  In  many  ways,  shoddiness  is  the  goal.  “Don’t 
worry,  be  crappy,”  Guy  Kawasaki  wrote  in  2000  in  his 
book,  Rules  for  Revolutionaries:  The  Capitalist  Mani¬ 
festo  for  Creating  and  Marketing  New  Products  mid  Ser¬ 
vices.  “Revolutionary  means  you  ship  and  then  test,”  he 
writes.  “Lots  of  things  made  the  first  Mac  in  1984  a  piece 
of  crap— but  it  was  a  revolutionary  piece  of  crap.” 

The  only  thing  more  shocking  than  the  fact  that 
Kawasaki’s  iconoclasm  passes  as  wisdom  is  that  execu- 


■  IN  THIS  STORY:  Why 

application  security  has  been 
so  bad  for  so  long  ■  How 
that’s  changing  ■  Howto 
write  software  contracts  that 
hold  vendors  accountable 


tives  have  spent  billions  of  dollars  endorsing  it.  They’ve 
invested— and  reinvested— in  software  built  to  be  revo¬ 
lutionary  and  not  necessarily  good.  And  when  those  prod¬ 
ucts  fail,  or  break,  or  allow  bad  guys  in,  the  blame  finds 
its  way  everywhere  except  to  where  it  should  go:  on  flawed 
products  and  the  vendors  that  create  them. 

“We’ve  developed  a  culture  in  which  we  don’t  expect 
software  to  work  well,  where  it’s  OK  for  the  marketplace 
to  pay  to  serve  as  beta  testers  for  software,”  says  Steve 
Cross,  director  and  CEO  of  the  Software  Engineering 
Institute  (SEI)  at  Carnege  Mellon  University.  “We  just 
don’t  apply  the  same  demands  that  we  do  from  other 
engineered  artifacts.  We  pay  for  Windows  the  same  as  we 
would  a  toaster,  and  we  expect  the  toaster  to  work  every 
time.  But  if  Windows  crashes,  well,  that’s  just  how  it  is.” 

Application  security— until  now  an  oxymoron  of  the 
highest  order,  like  “jumbo  shrimp”— is  why  we’re  starting 
here,  where  we  usually  end.  Because  it’s  finally  changing. 

A  complex  set  of  factors  is  conspiring  to  create  a  cultural 
shift  away  from  the  defeatist  tolerance  of  “that’s  just  how 
it  is”  toward  a  new  era  of  empowerment.  Not  only  can  soft¬ 
ware  get  better,  it  must  get  better,  say  executives.  They 
wonder,  Why  is  software  so  insecure?  and  then,  What  are 
we  doing  about  it? 

In  fact,  there’s  good  news  when  it  comes  to  application 
security,  but  it’s  not  the  good  news  you  might  expect.  In 
fact,  application  security  is  changing  for  the  better  in  a  far 
more  fundamental  and  profound  way.  Observers  invoke 
the  automotive  industry’s  quality  wake-up  call  in  the  ’70s. 
One  security  expert  summed  up  the  quiet  revolution  with 
a  giddy,  “It’s  happening.  It’s  finally  happening.” 

Even  Kawasaki  seems  to  be  changing  his  rules.  He 
says  security  is  a  migraine  headache  that  has  to  be  solved. 
“Don’t  tell  me  how  to  make  my  website  cooler,”  he  says. 
“Tell  me  how  I  can  make  it  secure.” 

“Don’t  worry,  be  crappy”  has  evolved  into  “Don’t  be 
crappy.”  Software  that  doesn’t  suck.  What  a  revolution¬ 
ary  concept. 
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Software  applications  lack  viable  security 
because,  at  first,  they  didn't  need  it.  “I  gradu¬ 
ated  in  computer  science  and  learned  nothing 
about  security,”  says  Chris  Wysopal,  technical 
director  at  security  consultancy  @Stake.  “Pro¬ 
gram  isolation  was  your  security.” 

The  code-writing  trade  grew  up  during  an 
era  when  only  two  things  mattered:  features 
and  deadlines.  Get  the  software  to  do  some¬ 
thing,  and  do  it  as  fast  as  possible.  Cyra 
Richardson,  a  developer  at  Microsoft  for 
12  years,  has  written  code  for  most  of  the  com¬ 
pany’s  major  pieces  of  software,  including 
Windows  3.1.  “The  measure  of  a  great  app 
then  was  that  you  did  the  most  with  the  fewest 
resources”— memory,  lines  of  code,  develop¬ 
ment  hours,  she  says.  So  no  one  built  secure 
applications,  but  no  one  asked  for  them  either. 
Windows  3.1  was  “a  program  made  up  almost 
entirely  of  customers’  grassroots  demands  for 
features  to  be  delivered  as  soon  as  possible,” 
Richardson  recalls. 

Networking  changed  all  that.  It  allowed 
someone  to  hack  away  at  your  software  from 
somewhere  else,  mostly  undetected.  But  it 
also  meant  that  more  people  were  using  com¬ 
puters,  so  there  was  more  demand  for  soft¬ 
ware.  That  led  to  more  competition.  Software 
vendors  coded  frantically— under  the  insecure 
pedagogy— to  outwit  competitors  with  more 
features  sooner.  That  led  to  what  one  soft¬ 
ware  developer  called  “featureitis.”  Inflam¬ 
mation  of  the  features. 

Now,  features  make  software  do  something, 
but  they  don’t  stop  it  from  unwittingly  doing 
something  else  at  the  same  time.  E-mail 
attachments,  for  example,  are  a  feature.  But  e- 
mail  attachments  help  spread  viruses.  That  is 
an  unintended  consequence— and  the  more 
features,  the  more  unintended  consequences. 

As  networking  spread  and  featureitis  took 
hold,  some  systems  were  compromised.  The 
worst  case  was  in  1988  when  a  graduate  stu¬ 
dent  at  Cornell  University  set  off  a  worm  on 
the  ARPAnet  that  replicated  itself  to  6,000 
hosts  and  brought  down  the  network.  At  the 
time,  events  like  that  were  the  exception. 

B}  1996,  the  Internet  supported  16  million 
hosts.  Application  security— or,  more  specifi¬ 
cally,  the  lack  of  it— turned  exponentially 


Vulnerabilities 

EXPERTS  SAY  THE  FOLLOWING  common  problems  in  software  code,  which  program¬ 
mers  haven’t  bothered  to  mitigate,  account  for  the  vast  majority  of  vulnerabilities.  The 
good  news:  Most  of  these  are  easily  fixed  if  they're  found. 

Buffer  overflows.  If  a  programmer  doesn’t  tell  a  program  to  limit  the  amount  of 
data  that  can  go  into  an  input  field,  a  malfeasant  can  stuff  that  field  with  tons  of  data, 
flooding  other  parts  of  memory  and  letting  the  bad  guy  take  control  of  the  system. 

Format  string  vulnerabilities.  Format  strings  are  what  tell,  say,  a  printer  how  to 
present  letters  and  numbers  on  a  page.  If  a  user  inputs  rogue  code  into  the  format 
string,  they  can  take  control  of  the  computer,  in  a  similar  way  to  buffer  overflows. 

Canonicalization  issues.  An  attacker  can  bypass  security  checks  simply  by  know¬ 
ing  that  when  Y  program  handles  X  program’s  data,  it  doesn’t  do  the  same  security' 
check. 

Inadequate  privilege  checking.  Someone  can  slip  in  unchecked  if  a  program 
doesn't  ask  for  authentication  at  every  doorway  to  features. 

Script  injection.  If  a  programmer  fails  to  strip  out  the  capability  to  run  script, 
attackers  can  enter  and  run  it.  For  example,  attackers  could  enter  commands  into  a 
SQL  database  query  that  allows  them  to  execute  commands  on  the  system. 

Information  leakage.  Because  of  poor  design,  some  programs  expose  their  own 
playbooks— directory  structures,  configuration  information,  IP  addresses,  pass¬ 
words— to  attackers  who  know  where  to  look  for  such  information. 

Error  handling.  A  subset  of  information  leakage,  sometimes  the  way  a  program 
handles  an  error  exposes  information  an  attacker  can  use.  For  example,  an  e-mail 
bounces  back  and  the  error  message  might  contain  IP  addresses,  server  names,  or 
even  type  of  server  that  let  the  attacker  know  how  and  where  to  hack. 

SOURCE:  @STAKE,  CSO 


worse.  The  Internet  was  a  joke  in  terms  of 
security,  easily  compromised  by  dedicated 
attackers.  Teenagers  were  cracking  anything 
they  wanted  to:  NASA,  the  Pentagon,  the 
Mexican  finance  ministry.  The  odd  part  is, 
while  the  world  changed,  software  develop¬ 
ment  did  not.  It  stuck  to  its  features/dead- 
lines  culture  despite  the  security  problem. 

Even  today,  the  software  development 
methodologies  most  commonly  used  still  cater 
to  deadlines  and  features,  and  not  security. 
“We  have  a  really  smart  senior  business  man¬ 
ager  here  who  controls  a  large  chunk  of  this 
corporation  but  hasn’t  a  clue  what’s  necessary 
for  security,”  says  an  information  secui'ity  offi¬ 
cer  at  one  of  the  largest  financial  institutions 
in  the  world.  “She  looks  at  security  as,  Will  it 
cost  me  customers  if  I  do  it?  She  concludes 
that  requiring  complicated,  alphanumeric 
passwords  means  losing  12  percent  of  our  cus¬ 
tomers.  So  she  says  no  way.” 

Software  development  has  been  able  to 
maintain  its  old-school,  insecure  approach 
because  the  technology  industry  adopted  a 
less-than-ideal  fix  for  the  problem:  security 


applications,  a  multibillion-dollar  industry’s 
worth  of  new  code  to  layer  on  top  of  programs 
that  remain  foundationally  insecure.  But 
there’s  an  important  subtlety.  Security  features 
don’t  improve  application  security.  They  sim¬ 
ply  guard  insecure  code  and,  once  bypassed, 
can  allow  access  to  the  entire  enterprise. 

That’s  triage,  not  surgery.  In  other  words, 
the  industry  has  put  locks  on  the  doors  but  not 
on  the  loading  dock  out  back.  Instead  of  secur¬ 
ing  networking  protocols,  firewalls  are  thrown 
up.  Instead  of  building  e-mail  programs  that 
defeat  viruses,  antivirus  software  is  slapped  on. 

When  the  first  major  wave  of  Internet 
attacks  hit  in  early  2000,  security  software 
was  the  savior,  brought  in  at  any  expense  to 
mitigate  the  problem.  But  attacks  kept  com¬ 
ing,  and  more  recently,  security  software  has 
lost  much  of  its  original  appeal.  That— com¬ 
bined  with  a  bad  economy,  a  new  focus  on 
national  security,  pending  regulation  that 
focuses  on  securing  information  and  sheer 
fatigue  from  the  constant  barrage  of  attacks— 
spurred  CSOs  to  think  differently  about  how 
to  fix  the  security  problem. 
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In  addition,  a  bevy  of  new  research  was 
published  that  proves  there  is  an  ROI  for  ven¬ 
dors  and  users  in  building  more  secure  code. 
Plus,  a  new  class  of  software  tools  was  devel¬ 
oped  to  automatically  ferret  out  the  most  gra¬ 
tuitous  software  flaws. 

Put  it  all  together,  and  you  get— ta  da!  — 
change.  And  not  just  change,  but  profound 
change.  In  technology,  change  usually  means 
more  features,  more  innovation,  more  services 
and  more  enhancements.  In  any  event,  it’s  the 
vendor  defining  the  change.  This  time,  the 
buyers  are  foisting  on  vendors  a  better  kind  of 
change.  They’re  forcing  vendors  to  go  back 
and  fix  the  software  that  was  built  poorly  in 
the  first  place.  The  suddenly  efficacious  cor¬ 
porate  software  consumer  is  holding  vendors 
accountable.  He  is  creating  contractual  lia¬ 
bility  and  pushing  legislation.  He  is  threat¬ 
ening  to  take  his  budget  elsewhere  if  the  code 
doesn’t  tighten  up.  And  it’s  not  just  empty 
rhetoric. 

Mary  Ann  Davidson,  CSO  at  Oracle,  claims 
that  now  “no  one  is  asking  for  features;  they 
want  information  assurance.  They’re  asking  us 
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how  we  secure  our  code.”  Adds  Scott  Charney, 
chief  security  strategist  at  Microsoft,  “Sud¬ 
denly,  executives  are  saying,  We’re  no  longer 
just  generically  concerned  about  security.” 

We  Doing 

Specifically,  all  this  concern  has  led  to  the 
empowerment  of  everyone  who  uses  software, 
and  now  they’re  pushing  for  some  real  appli¬ 
cation  security.  Here  are  the  reasons  why. 

Vendors  have  no  excuse  for  not  fixing  their 
software  because  it’s  not  technically  difficult  to 
do.  For  anyone  who  bothers  to  look,  the  num¬ 
bers  are  overwhelming:  90  percent  of  hackers 
tend  to  target  known  flaws  in  software.  And 
95  percent  of  those  attacks,  according  to  SEI’s 
Cross,  among  others  experts,  exploit  one  of 
only  seven  types  of  flaws.  (See  “Common  Vul¬ 
nerabilities,”  opposite  page.)  So  if  you  can  take 
care  of  the  most  common  types  of  flaws  in  a 
piece  of  software,  you  can  stop  the  lion’s  share 
of  those  attacks.  In  fact,  if  you  eliminate  the 
most  common  security  hole  of  all— the  dreaded 
buffer  overflow— Cross  says  you’ll  scotch  nearly 
60  percent  of  the  problem  right  there. 

“It  frustrates  me,”  says  Cross.  “It  was  kind 
of  chilling  when  we  realized  half-a-dozen  vul¬ 
nerabilities  were  causing  most  of  the  prob¬ 
lems.  And  it’s  not  complex  stuff  either.  You 
can  teach  any  freshman  compsci  student  to  do 
it.  If  the  public  understood  that,  there  would 
be  an  outcry.” 

SEI  and  others  such  as  @Stake  are  shining 
a  light  on  these  startling  facts  (and  making 
money  in  doing  so).  It  has  started  to  have  an 
effect.  Wysopal  at  @ Stake  says  he’s  seeing 
more  empowered  and  proactive  customers, 
and  in  turn,  vendors  are  desperately  seeking 
ways  to  keep  those  empowered  customers. 

“It’s  been  a  big  change,”  he  says.  “We  still  get 
a  lot  of  [customers  saying],  We’re  shipping  in 
a  week.  Could  you  look  at  the  app  and  make 
sure  it’s  secure?  But  we’re  seeing  more  clients 
sooner  in  the  development  process.  Security 
always  was  the  thing  that  delayed  shipment, 
but  they’ve  started  to  see  the  benefits— better 
communication  between  developers,  creating 
more  robust  applications  that  have  fewer  fail¬ 
ures.  The  truth  is,  it  doesn’t  take  that  much 
longer  to  write  a  line  of  code  that  doesn’t  have 
a  buffer  overflow  than  one  that  does.  It’s  just 
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building  awareness  into  the  process  so  that, 
eventually,  your  developers  simply  don’t  write 
buffers  with  unbounded  strings.” 

In  fact,  it’s  a  little  more  complicated  than 
that.  Even  if,  starting  tomorrow,  no  new  pro¬ 
grams  contained  buffer  overflows  (and,  of 
course,  it  will  take  years  of  training  and  devel¬ 
opment  to  minimize  buffer  overflows),  there’s 
billions  of  lines  of  legacy  code  out  there  con¬ 
taining  300  variations  on  the  buffer-overflow 
theme.  What’s  more,  in  a  program  with  mil¬ 
lions  of  lines  of  code,  there  are  thousands  of 
instances  of  buffer  overflows.  They  are  needles 
in  a  binaiy  haystack. 

Fortunately,  some  enterprising  companies 
have  built  tools  that  automate  the  process  of 
finding  the  buffers  and  fixing  the  software. 
The  class  of  tool  is  called  secure  scanning  or 
application  scanning,  and  the  effect  of  such 
tools  could  be  profound.  They  will  allow  CSOs 
to,  basically,  audit  software.  They’ve  already 
become  part  of  the  security  auditing  process, 
and  there’s  nothing  to  stop  them  from  becom¬ 
ing  part  of  the  application  sales  process  too. 
Wysopal  tells  the  story  of  a  CSO  who  brought 
him  a  firewall  for  vulnerability  testing  and 
scanning.  When  a  host  of  serious  flaws  were 
found,  the  customer  literally  sent  the  product 
back  to  the  vendor  and,  in  so  many  words, 
said,  If  you  want  us  to  buy  this,  fix  these  vul¬ 
nerabilities.  To  preserve  the  sale,  the  vendor 
fixed  the  firewall. 

Strong  contracts  are  making  software  bet¬ 
ter  for  everyone.  According  to  @ Stake  re¬ 
search,  vendors  should  realize  that  there’s  an 
ROI  in  designing  security  into  software  earlier 
rather  than  later.  But  Wysopal  believes  that’s 
not  necessarily  the  only  motivation  for  com¬ 
panies  to  improve  their  code’s  safety.  “I  think 
they  also  see  the  liability  coming,”  he  says.  “I 
think  they  see  the  big  companies  building  it 
into  contracts.” 

A  contract  GE  signed  with  software  vendor 
General  Magic  Inc.  earlier  this  year  has  secu¬ 
rity  officers  and  experts  giddy  and  encour¬ 
aged  by  its  language  (see  “Put  It  in  Writing,” 
this  page).  In  essence  it  holds  General  Magic 
fully  accountable  for  security  flaws  and  dic¬ 
tates  that  the  vendor  pay  for  fixing  the  flaws. 

General  Magic  officials  say  they  weren’t  sur¬ 
prised  by  the  language  in  the  contract,  but 
many  experts  say  the  company  has  to  be  pretty' 
confident  in  its  products  to  sign  off.  The  effect 


THIS  IS  FROM  A  CONTRACT  between  GE  and  software  vendor  General  Magic  Inc. 
(GMI),  from  earlier  this  year,  which,  experts  say,  represents  some  of  the  strongest  lan¬ 
guage  to  date  that  software  users  have  crafted  to  hold  software  vendors  accountable 
for  the  quality  of  their  code.  It  also  creates  clout-by-proxy:  If  General  Magic  has  to 
make  sure  the  code  conforms  for  GE,  it  will  conform  for  all  users  of  the  product. 


7.3  Code  Integrity  Warranty.  GMI  warrants  and  represents  that  the  GMI  software, 
other  than  the  key  software,  does  not  and  will  not  contain  any  program  routine, 
device,  code  or  instructions  (including  any  code  or  instructions  provided  by  third  par¬ 
ties)  or  other  undisclosed  feature,  including,  without  limitation,  a  time  bomb,  virus, 
software  lock,  drop-dead  device,  malicious  logic,  worm,  Trojan  horse,  bug,  error,  . 
defect  or  trap  door  (including  year  2000),  that  is  capable  of  accessing,  modifying, 
deleting,  damaging,  disabling,  deactivating,  interfering  with  or  otherwise  harming  the 
GMI  software,  any  computers,  networks,  data  or  other  electronically  stored  informa¬ 
tion,  or  computer  programs  or  systems  (collectively,  "disabling  procedures”).  Such 
representation  and  warranty  applies  regardless  of  whether  such  disabling  procedures 
are  authorized  by  GMI  to  be  included  in  the  GMI  software.  If  GMI  incorporates  into  the 
GMI  software  programs  or  routines  supplied  by  other  vendors,  licensors  or  contrac¬ 
tors  (other  than  the  key  software),  GMI  shall  obtain  comparable  warranties  from  such 
providers  or  GMI  shall  take  appropriate  action  to  ensure  that  such  programs  or  rou¬ 
tines  are  free  of  disabling  procedures.  Notwithstanding  any  other  limitations  in  this 
agreement,  GMI  agrees  to  notify  GE  immediately  upon  discovery  of  any  disabling  pro¬ 
cedures  that  are  or  may  be  included  in  the  GMI  software,  and,  if  disabling  procedures 
are  discovered  or  reasonably  suspected  to  be  present  in  the  GMI  software,  GMI,  as  its 
entire  liability  and  GE's  sole  and  exclusive  remedy  for  the  breach  of  the  warranty  in 
this  section  7.3,  agrees  to  take  action  immediately,  at  its  own  expense,  to  identify  and 
eradicate  (or  to  equip  GE  to  identify  and  eradicate)  such  disabling  procedures  and 
carry  out  any  recovery  necessary  to  remedy  any  impact  of  such  disabling  procedures. 

SOURCE:  FREEEDGAR.COM/SEC 


of  the  contract,  though,  is  to  improve  software 
in  general.  The  vendor  must  make  secure 
applications— or  fix  them  so  they’re  secure— to 
conform  to  its  contract  with  a  customer,  but 
that  makes  the  software  better  for  everyone. 

Clout  is  not  limited  to  the  Fortune  500. 
Sure,  it’s  easy  for  GE  to  write  such  a  contract, 
given  that  GE  is  part  of  the  Fortune  2.  And 
there’s  nothing  wrong  with  CSOs  benefiting 
from  GE’s  clout— the  corporate  equivalent  of 
drafting  in  auto  racing. 

But  there  are  other  ways  to  force  the  issue 
with  vendors  for  CSOs  at  companies  smaller 
than  GE  (which  is  everyone  but  Wal-Mart). 
One  can  join  the  Sustainable  Computing  Con¬ 
sortium  at  Carnegie  Mellon  University,  and 
the  Internet  Security  Alliance,  formed  under 
the  Electronic  Industry  Alliance.  The  interest 
groups  help  companies  of  all  sizes  band 
together  on  standardizing  contract  language 
and  best  practices  for  software  development. 


Some  are  taking  satisfaction  in  a  good  old- 
fashioned  boycott,  even  if  they  are  so  small  as 
to  escape  the  vendor’s  notice.  Newnham  Col¬ 
lege  at  the  University  of  Cambridge  in  Eng¬ 
land,  with  700  users,  recently  banned 
Microsoft’s  Outlook  from  use  on  campus 
because  of  the  virus  problem. 

Much  of  the  clout  CSOs  gain  will  come 
from  the  market  evolving.  In  a  sense,  the  soft¬ 
ware  makers  create  clout  for  the  CSO  by  ask¬ 
ing  her  to  deploy  the  product  for  ever  more 
critical  business  tasks.  At  some  point,  the 
potential  damage  an  insecure  product  could 
inflict  will  dictate  whether  it  will  be  purchased. 

“Two  years  ago,  the  marketing  strategy  was 
to  just  get  it  out  there.  And  some  of  the  stuff 
that  went  out  was  really  insecure,”  says  the 
anonymous  ISO  at  the  large  financial  institu¬ 
tion.  “But  now,  we  just  say,  applications  don’t 
go  live  without  security.  It’s  a  sledgehammer.” 

And  it’s  not  a  randomly  wielded  one  either. 
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His  company  has  created  a  formal  process  to 
assess  vendors’  applications  and  his  own  com¬ 
pany’s  software  development  as  well.  It 
includes  auditing  and  penetration  testing,  and 
the  vendors’  conforming  to  overarching  secu¬ 
rity  criteria,  such  as  eliminating  buffer  over¬ 
flows  and  so  forth.  It’s  not  unusual,  the 
security  officer  says,  for  his  group  to  spend 
$40,000  per  quarter  testing  and  breaking  a 
single  application. 

“Customers  are  vetting  us,”  says  Davidson. 
“Not  just  kicking  the  tires,  but  they’re  asking 
how  we  handle  vulnerabilities.  Where  is  our 
code  stored?  Do  we  do  regression  testing? 


What  are  our  secure  coding  standards?  It’s 
impressive,  but  it’s  also  just  plain  necessary. 

“They  have  to  be  demanding.  If  customers 
don’t  make  security  a  basic  criteria,  they  lose 
their  right  to  complain  in  a  lot  of  ways  when 
things  go  bad,”  she  says. 

At  the  bank,  the  security  officer  says,  is  a 
running  list  of  vendors  that  are  “certified”— 
that  is,  they’ve  successfully  met  the  application 
security  criteria  by  going  through  the  formal 
process.  The  list  is  incentive  for  vendors  to 
clean  up  their  code,  because  if  they’re  certified, 
they  have  an  advantage  over  those  that  aren’t 
the  next  time  they  want  to  sell  software.  Ven¬ 
dors,  he  says,  “have  either  gone  broke  trying  to 
satisfy  our  criteria,  or  they  run  through  the 
operation  pretty  well.  A  few  see  what  we 
demand  and  just  run  away.  But  there  doesn’t 
seem  to  be  any  middle  ground.” 

The  government  is  taking  an  active  role. 
The  image  of  the  government  in  security  is 
that  of  a  clumsy  organization  tripping  over 
its  own  red  tape.  But  right  now,  at  least  in 
terms  of  application  security,  the  government 
is  a  driving  force,  and  the  government’s  efforts 
to  improve  software  are  making  a  joke  of  the 
private  sector. 

In  fact,  no  industry  has  been  more  effective 
in  the  past  year  at  pushing  vendors  into  secu¬ 
rity  or  using  its  clout  (often,  that  comes  in  the 
form  of  regulation)  to  effect  change. 

At  the  state  level,  legislatures  have  collec¬ 
tively  ignored  the  Uniform  Computer  Infor¬ 
mation  Transactions  Act  (UCITA),  a  complex 
law  that  would  in  part  reduce  liability  for  soft¬ 
ware  vendors  (most  major  vendors  have 
backed  UCITA). 

Federally,  money  has  poured  into  the  com¬ 
plex  skein  of  agencies  dealing  with  critical 
infrastructure  protection,  which  has  taken  on 
a  life  of  its  own  since  9/H.  Equally  important 
but  not  as  well  publicized,  the  feds  fully  imple¬ 
mented  in  July  the  National  Security 
Telecommunications  Information  Systems 
Security  Policy  no.  11,  called  NSTISSP  (pro¬ 
nounced  nissTISSip),  after  a  two-year  phase- 
in.  The  policy  dictates  that  all  software  that’s  in 
some  way  used  in  a  national  security  setting 
must  pass  independent  security  audits  before 
the  government  will  purchase  it. 

The  government  has  for  more  than  a 
decade  tried  to  implement  such  a  policy,  but 
it  has  been  put  off.  Vendors  have  routinely 
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Patches  are  like  ridiculously 
complex  tourniquets.  They 
are  the  temble  price  everyone 
pays  or  30  yearsol  insecure 
application  development 


been  able  to  receive  waivers  through  loop¬ 
holes  in  order  to  avoid  the  process.  The  July 
move  is  considered  a  line  in  the  sand.  With 
national  security  on  everyone’s  mind,  experts 
believe  waivers  will  be  harder  to  come  by.  The 
Navy  is  telling  kvetching  vendors  to  use 
NSTISSP  no.  11  as  a  way  to  gain  a  competitive 
advantage.  At  any  rate,  products  will  have  to 
be  secured,  or  the  government  won’t  buy 
them.  Like  GE’s  contract,  this  makes  software 
better  for  everyone. 

The  ability  of  the  public  sector  to  whip  ven¬ 
dors  into  shape  on  application  security  is  best 
represented,  though,  by  John  Gilligan,  CIO  of 
the  Air  Force,  who  in  March  told  Microsoft  to 
make  better  products  or  he’ll  take  his  $6  billion 
budget  elsewhere.  It  was  a  challenge  by  proxy 
to  all  software  vendors.  At  the  time,  Gilligan 
said  he  was  “approaching  the  point  where  we’re 
spending  more  money  to  find  patches  and  fix 
vulnerabilities  than  we  paid  for  the  software.” 
And  he  wasn’t  shy  about  labeling  software 
security  a  “national  security  issue.” 

Microsoft  Chief  Security  Strategist  Char- 
ney  called  himself  a  “nudge  and  a  pest  by 
nature,”  and  he  may  have  found  his  counter¬ 
part  in  Gilligan,  who  in  addition  to  mobilizing 
the  Air  Force  is  encouraging  other  federal 
agencies  to  use  similar  tactics.  Gilligan  says  he 
was  encouraged  by  Bill  Gates’s  notorious 
“Trustworthy  Computing”  memo— his  mea 
culpa  proclamation  in  January  that  Microsoft 
software  must  get  more  secure— but  that  “the 
key  will  be,  what’s  the  follow-through?” 

Nudging  Vendors 

Gilligan  is  right,  and  clever,  to  invoke  patches 
as  a  major  part  of  his  problem.  If  a  vendor  is  not 
cominced  that  securing  applications  is  a  good 
idea  after  getting  proof  of  an  ROI  from  secur¬ 
ing  applications  early,  or  after  gaining  the  favor 
of  large  customers  by  submitting  to  a  certifica¬ 
tion  process  or  to  a  contract  with  strong  lan¬ 
guage,  then  patches  might  do  the  trick. 

Patches  are  like  ridiculously  complex 
tourniquets.  They  are  the  terrible  price  every¬ 
one— vendors  and  CSOs  alike— pays  for 
30  years  of  insecure  application  development. 
And  they  are  expensive.  Davidson  at  Oracle 
estimates  that  one  patch  the  company  released 
cost  Oracle  $1  million.  Charney  won’t  esti¬ 
mate.  But  what’s  clear  is  that  the  economics  of 


patching  is  quickly  getting  out  of  hand,  and 
the  vendors  appear  to  be  motivated  to  ame¬ 
liorate  the  problem. 

At  Microsoft,  it  starts  with  security  training, 
required  for  all  Microsoft  programmers  as  a 
result  of  Gates’s  memo.  Michael  Howard, 
coauthor  of  Writing  Secure  Code,  and  Steve 
Lipner,  manager  of  Microsoft’s  security  center 
(Patch  Central),  are  running  the  effort  to  make 
Microsoft  software  more  secure. 

The  training  establishes  new  processes 
(coding  through  defense  in  depth,  that  is,  writ¬ 
ing  your  piece  of  code  as  if  everything  around 
your  code  will  fail).  It  sets  new  rules  (security 
goals  now  go  in  requirements  documents  at 
Microsoft;  insecure  drivers  are  summarily 
removed  from  programs,  a  practice  that 
Richardson  says  would  have  been  heresy  not 
long  ago).  And  it  creates  a  framework  for 
introducing  Microsoft  teams  to  the  concept  of 
managed  code  (essentially,  reusable  code  that 
comes  with  guarantees  about  its  integrity). 

A  year  and  several  hundred  million  dollars 
later,  it’s  still  not  clear  if  the  two-day  security 
training  for  Microsoft’s  developers  is  giving 
them  a  fish,  or  teaching  them  to  fish.  Richard¬ 
son  seems  to  believe  the  latter.  She  says  the 
training  starts  with  “religion,  apple  pie  and 
how-we-have-to-save-America  speeches.” 
And,  she  says,  it  includes  at  least  one  tough 
lesson:  “You  can’t  design  secure  code  by  acci¬ 
dent.  You  can’t  just  start  designing  and  think, 
Oh,  I’ll  make  this  secure  now.  You  have  to 
change  the  ethos  of  your  design  and  develop¬ 
ment  process.  To  me,  the  change  has  been 
dramatic  and  instant.” 

To  Microsoft  customers,  it’s  a  more  muted 
reaction.  Since  Gates’s  proclamation,  gaping 
security  holes  have  been  found  in  Internet 
Information  Server  5.0,  reminding  the  world 


that  legacy  code  will  live  on.  Even  the  com¬ 
pany’s  gaming  console,  Xbox,  was  cracked- 
indicating  the  pervasiveness  of  the  insecure 
development  ethos  and  how  hard  it  will  be  to 
change. 

Microsoft  also  faces  an  extremely  skepti¬ 
cal  community  of  CSOs  and  other  security 
watchdogs.  Don  O’Neill,  executive  vice  presi¬ 
dent  for  the  Center  for  National  Software 
Studies,  says,  “When  it  comes  to  trustworthy 
software  products,  Microsoft  has  forfeited  the 
right  to  look  us  in  the  face.” 

So  let’s  end  where  conversations  about 
application  security  usually  begin:  Microsoft. 

Richardson’s  reaction  to  Gates’s  memo  was 
not  much  different  than  anyone  else’s.  “I  won¬ 
dered  how  much  of  this  was  a  marketing  issue 
compared  with  a  real  consumer  issue,”  she  says. 

The  memo  has  become  a  reference  point  in 
the  evolution  of  application  security— the 
event  cited  as  the  start  of  the  current  sea 
change.  In  truth,  the  tides  were  turning  for  a 
year  or  more,  and  if  a  date  must  be  given,  it 
would  be  Sept.  18,  2001,  one  week  after  9/11 
and  the  day  that  the  Nimda  virus  hit. 
Microsoft’s  entering  the  fray— as  it  did  with 
the  Internet  in  1995,  also  via  a  memo— is  more 
an  indication  that  the  latecomers  have  arrived, 
a  sort  of  cultural  quorum  call. 

It  was,  “We’re  all  here  so  let’s  get  started,” 
the  beginning  of  the  era  of  application  security 
as  a  real  discipline,  and  not  an  oxymoron.  ■ 


Senior  Writer  Scott  Berinato  can  be  reached  via 
e-mail  at  sberinato  ficxo.com. 


Is  open-source  software  any  safer  than  propri¬ 
etary  code?  Read  Senior  Writer  Scott  Berinato's 
ALARMED  column,  “The  Open  Source  (Non-) 
Debate.”  Go  to  www.csoonline.com/printlinks. 
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ARE  SECURITY  CERTIFICATIONS  ALL 
THEY’RE  CRACKED  UP  TO  BE?  HERE’S  YOUR  GUIDE 
THROUGH  THE  JUNGLE  OF  ACRONYMS. 


The  security  profession  has  a  secret  language.  Blunt  and  circumspect,  it  has  nothing  to  do  with 
IP  addresses  or  code  names for  hack  attacks.  If  you  speak  it,  employers’  doors  swing  wide for  you. 
If  not,  you’re  out  in  the  cold,  even  if  you’ve  walked  the  walk for  20  years.  It’s  the  language  of  cer¬ 
tification,  and  it  looks  like  this: 

CISSP,  CBCP,  CPP,  CFE,  CISA,  GIAC,  ISSA,  ISACA,  ISC2,  SANS,  CCSE,  MCSE,  TICSA,  VCPE, 
RSA/CSE,  CCNA,  CNE,  CIW,  FCSS,  EWSCP. 

Easy  to  decipher?  No.  But  in  the  world  of  security  certification,  such  acronyms  can  carry  the 
same  cachet  as  an  Ivy  League  education  or  a  PhD.  And,  often,  salary  is  directly  proportional 
to  the  number  of  letters  you  can  attach  to  your  name  or  resume. 

Security  is  hot  these  days,  and  everyone  seems  to  want  in.  Unfortunately,  there  are  very  few 
qualified  security  workers  who  have  a  lot  of  experience  under  their  belt,  which  leaves  managers 
scrambling  to  fill  vacancies. 

In  response  to  all  that  pent-up  demand  for  trained  staff,  the  certification  industiy— those  com¬ 
panies  that  administer  or  provide  trainingfor  exams— has  created  a  bevy  of  new  certifications. 
There’s  so  much  money  to  be  made  from  those  seeking  certification  that  everyone  wants  apiece 
of  the  action.  The  good  news:  There’s  a  lot  to  choose fi'om.  The  bad  news:  It’s  that  much  more  dif¬ 
ficult  to  differentiate  between  meaningful  certifications  and  expensive  diploma  mills. 


m  IN  THIS  STORY:  What  certifications  really 
are— and  aren’t— good  for  ■  What  key  players 
are  doing  to  make  the  process  more  reliable 


Security  Certification 


WO  OR  THREE  YEARS  AGO,  THERE  WERE  SO 
FEW  CERTIFICATIONS  THAT  EVERYONE  KNEW 
WHAT  ACRONYMS  LIKE  MCSE  AND  CCSE  STOOD 
FOR,  AND  WHAT  THE  EXAMS  ENTAILED  IN  TERMS  OF 
EXPERIENCE  AND  KNOWLEDGE.  EARNING  A  CERTIFI- 


cation  such  as  the  CISSP, 
which  was  widely  viewed 
as  the  most  valuable  and 
upstanding  information 
security  certification  available,  was  seen  as  a  meas¬ 
ure  of  one’s  knowledge,  and  a  validation  and  recog¬ 
nition  of  accomplishment  in  the  security  field. 
Today’s  proliferation  of  certifications,  however,  is 
less  meaningful. 

And  navigating  the  certification  battlefield  is  dif¬ 
ficult  and  messy.  “Some  certifying  bodies  use  the 
current  focus  on  security  as  a  way  to  make  money,” 
says  Lew  Wagner,  CISSP,  CPP  and  CISO  of  the  Uni¬ 
versity  of  Texas  MD  Anderson  Cancer  Center.  Dri¬ 
ving  the  need  for  certification  is  in  the  interest  of 
those  offering  training  and  certifications. 

New  certifications  are  coming  fast  and  furious. 
CompTIA  recently  launched  the  beta  of  Security+, 
a  certification  for  entry-level  security  workers.  In 
addition  to  offering  the  well-respected  CPP,  the 
American  Society  for  Industrial  Security  will  begin 
offering  two  new  certifications  in  physical  security 
and  investigations  next  fall.  And  the  Field  Certified 
Professional  Association  is  about  to  launch  an 
advanced  Field  Certified  Security  Specialist  certifi¬ 
cation  that  will  debut  later  this  year. 

But  no  one  group  or  individual  has  stepped  for¬ 
ward  to  guide  the  security  field  toward  a  gold  stan¬ 
dard  of  training  and  education.  “It’s  getting  a  little 
crazy  right  now,”  says  David  Cullinane,  CPP,  CISSP 
and  president  of  the  Information  Systems  Security 
Association  (ISSA).  “There  are  too  many  certifica¬ 
tions  with  no  distinction  between  them.” 

The  proliferation  of  security  certifications  is  espe¬ 
cially  confusing  for  CSOs,  since  there’s  no  governing 
body  to  vet  the  certification  process.  “There  are  so 
many  certifications  coming  down  the  pike  that  no 
one  can  keep  track  of  what’s  real  and  what’s  not,” 
says  Cullinane,  who’s  Washington  Mutual’s  CISO. 

/Ire  You  Experienced? 

Certification  certainly  isn’t  a  substitute  for  experi¬ 
ence,  but  for  security  newbies,  it’s  a  way  to  get  inter¬ 
views  and  differentiate  themselves  from  other  job 


candidates.  Today’s  reality,  however,  is  fairly  cut- 
and-dried:  Typically,  the  more  letters  after  your 
name,  the  more  money  you  make. 

“No  one  wants  to  pay  for  skills  unless  there’s  some 
proof  of  proficiency,”  says  David  Foote,  cofounder, 
president  and  chief  research  officer  of  Foote  Part¬ 
ners,  a  management  consultancy.  According  to  the 
company’s  survey  data,  security  workers  with  certi¬ 
fications  such  as  the  CISSP  and  GIAC  series  (see 
“Now  I  Know  My  ABCs,”  this  page)  are  paid  any¬ 
where  from  6  percent  to  12  percent  more  in  bonus 
pay  than  those  without  certifications.  The  Foote 
survey  also  found  that  50  percent  of  companies  are 
covering  the  cost  of  certifying  employees. 

Consequently,  security  employees  are  seeing  the 
incentive  for  taking  the  certification  tests.  “If  you 
have  a  couple  of  years  of  experience,  there’s  a  pot  of 
gold  waiting  for  you  if  you  get  certified,”  Foote  says. 

No  surprise,  then,  that  technical  certifications 
such  as  the  SANS  Institute’s  GIAC  series— which 
offers  training  and  certification  in  areas  such  as 
intrusion  detection,  incident  handling  and  firewall 
administration— are  experiencing  a  boom  in  popu¬ 
larity.  Attendance  at  SANS  training  sessions  is  up 
33  percent,  according  to  Alan  Paller,  director  of 
research  at  the  SANS  Institute.  Right  now,  the  GIAC 
is  the  most  attractive  certification  series,  according 
to  Foote,  because  companies  are  looking  for  ways  to 
train  existing  employees  in  the  details  of  security 
rather  than  hiring  more  experienced  security  experts 
who  can  command  even  higher  salaries.  The  GIAC 
is  extremely  thorough  and  highly  technical,  which 
makes  it  very  attractive  for  companies  that  want  to 
get  the  most  out  of  the  money  they  spend  on  certi¬ 
fying  employees. 

Some  certifying  bodies— like  ISC2  and  SANS— 
require  a  few  years’  previous  experience  before  you 
can  take  the  exams.  Such  requirements  are  meant  in 
part  to  prevent  someone  from  walking  into  the  secu¬ 
rity  field  without  any  background  in  the  field,  Paller 
says.  In  January  2003,  ISC2  will  bump  the  amount 
of  required  experience  to  take  the  CISSP  test  to  four 
years,  and  it  will  go  to  five  years  in  2004,  says  James 
Wade,  chairman  and  president  of'ISC2. 


Now  I 
Know 
Mv 
ABCs 

Here’s  just  a  sampling  of  the 
myriad  certifications  in  the 
field  of  security 

ISC2 

www.isc2.org 

CISSP  (Certified  Information  Systems 
Security  Professional) 

Level:  Advanced 
Cost:  $450 

Skinny:  Pretty  much  standard  for  CISOs 

SSCP  (Systems  Security  Certified 
Practitioner) 

Level:  Intermediate 
Cost:  $295 

Skinny:  Also  standard  for  CISO-types 

SANS 

www.sans.org 

GIAC  (Global  Information  Assurance 
Certification) 

Level:  Basic 
Cost:  Varies 

Skinny:  Technical  series  designed  to  give 
nuts-and-bolts  understanding 

ASIS 

www.asisonline.org 

CPP  (Certified  Protection  Professional) 
Level:  Advanced 
Cost:  $325 

Skinny:  Difficult  but  essential 

DRI  International 

www.dr.org 

ABCP  (Associate  Business  Continuity 
Planner) 

Level:  Basic 
Cost:  $250 

Skinny:  A  must  for  business  continuity 

CBCP  (Certified  Business  Continuity 
Planner) 

Level:  Intermediate 
Cost:  $250 

Skinny:  More  advanced  than  ABCP 

MBCP  (Master  Business  Continuity 
Professional) 

Level:  Advanced 
Cost:  $300 

Skinny:  Most  advanced  for  business 
continuity 

Association  of  Certified  Fraud 
Examiners 

www.cfenet.com 

CFE  (Certified  Fraud  Examiner) 

Level:  Advanced 
Cost:  $200 

Skinny:  Essential  for  fraud  investigation 
and  prevention 
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ISACA 

www.isaca.org 

CISA  (Certified  Information  Systems 
Auditor) 

Level:  Advanced 
Cost:  $465 

Skinny:  Best  for  IS  audit  and  control 


Street  Smarts 

Though  CSOs  stress  the  need  for  certification,  no 
one  has  devised  a  method  to  weigh  certification  ver¬ 
sus  experience.  Obviously,  certification  doesn’t  guar¬ 
antee  that  the  holder  can  handle  a  DNS  attack  like 
a  veteran.  It  simply  means  you’ve  passed  a  test  (see 


expertise  gives  customers  and  employees  a  level  of 
comfort  when  dealing  with  a  company.” 

Fox  sees  certification  as  a  useful  tool  in  judging 
how  up-to-date  a  job  candidate’s  knowledge  is.  Most 
certifications  have  to  be  renewed  every  two  to  five 
years.  If  someone  with  20  years’  experience  claimed 


CompTIA 

www.comptia.org 

Security+ 

Level:  Basic 
Cost:  $200 

Skinny:  New  test  for  entry-level  workers 

Security  Certified  Program 

www.securitycertified.net 

SCNP  (Security  Certified  Network 
Professional) 

Level:  Intermediate 
Cost:  $150 

Skinny:  Highly  technical  for  network 
systems  or  systems  administrators 

SCNA  (Security  Certified  Network 
Architect) 

Level:  Advanced 
Cost:  $180 

Skinny:  For  security  specialists  or  IT 
managers 

TruSecure 

www.trusecure.com 


“Ready,  Set... Certify!”  Page  42).  “The  fact  that  you 
are  certified  opens  a  lot  of  doors  that  otherwise 
would  remain  closed,”  says  Ron  Baklarz,  CISSP, 
GSEC  and  CISO  of  the  American  Red  Cross.  “But 
nothing  compares  with  real  experience  under  fire.” 

Few  CSOs  will  admit  outright  that  they  won’t 
hire  someone  without  certification,  but  for  Bob 
Cordier,  vice  president  of  security  and  safety  for 
MetLife,  certification  is  a  necessity  for  prospective 
employees.  “Tlook  for  certification  when  hiring,” 
Cordier  says.  “It  can  make  the  difference  if  all  other 
qualifications  are  equal.” 

CSOs  who  have  spent  years  working  their  way 
up  the  ranks  without  feeling  the  need  to  be  certified 
are  now  facing  a  prime  opportunity  to  become  even 
more  marketable,  a  fact  that’s  not  lost  on  Bob  Fox, 
vice  president  and  CSO  of  Sprint.  “I  don’t  have  a 
CISSP,  but  I’m  seriously  considering  it,”  he  says. 
“It’s  that  important.  Having  a  CISSP  means  you  can 


he  was  familiar  with  the  most  current  technology 
skills,  Fox  says,  he’d  have  serious  doubts  about  the 
veracity  of  the  claim  if  he  wasn’t  certified.  “Knowing 
someone  has  updated  their  knowledge  on  a  regular 
basis  is  huge,”  he  says.  “That’s  why  I’d  hire  someone 
with  less  experience  but  certified  over  someone  with 
more  experience  and  no  certification.” 

But  there’s  no  good  system  to  help  distinguish 
between  someone  with  five  years  of  experience  but 
who  holds  a  CISSP  and  a  GSEC,  and  someone  who 
is  not  certified  but  has  15  years  of  experience  in  mul¬ 
tiple  jobs.  Until  security  executives  can  draw  that 
line,  certification  will  continue  to  obscure  the  hiring 
process,  says  Ainsley  Rattray,  CISSP  and  chief  secu¬ 
rity  strategist  at  LabMorgan,  a  division  of  J.P.  Mor¬ 
gan  Chase. 

In  addition,  not  every  person  is  a  good  test-taker. 
And  the  good  test-takers  don’t  always  have  the  smarts 
to  back  up  their  good  test  scores.  “I’ve  seen  good  test- 


TICSA  (TruSecure  ICSA  Certified 
Security  Associate) 

Level:  Intermediate 
Cost:  $295 

Skinny:  Complementary  to  CISSP;  offer 
prep  through  training  partners 


ProsoftTraining 

www.prosofttraining.com 

CIW  (Certified  Internet  Webmaster) 
Level:  Advanced 
Cost:  $125 

Skinny:  For  those  already  holding 
networking  administration  certification 
and  want  to  add  security 

Learning  Tree 

www.lea  rningtree.  com 

EWSCP  (Enterprise  and  Web  Security 
Certified  Professional) 

Level:  Intermediate 
Cost:  $4,995 

Skinny:  Price  includes  a  four-course 
training  class  for  enterprise  and  Web 
security  professionals 

NSCP  (Network  Security  Certified 
Professional) 

Level:  Intermediate 
Cost:  $4,995 

Skinny:  Network  security  counterpart  to 
EWSCP 


For  a  more  comprehensive  listing, 
check  out  our  website  at 
www.csoonline.com/printlinks. 


grasp  both  the  technology  and  the  management 
part  of  security  administration,  and  having  that 


takers  pass  the  CISSP  who  weren’t  fit  to  be  a  CSO,” 
Wagner  says.  “And  I’ve  seen  really  good  people  who 
have  to  take  it  again  because  they 
weren’t  good  test-takers.” 

Certification  shouldn’t  be  the 
sole  determinant  of  skill,  and  it 
can’t  be  taken  in  isolation  from 
experience,  Rattray  insists.  “Cer¬ 
tification  represents  achievement, 
not  mastery.  There’s  no  substitute 
for  experience.” 

Such  a  conclusion  has  yet  to 
trickle  down  the  ranks,  however. 
Many  are  open  in  their  condem¬ 
nation  of  those  who  put  too  much 
emphasis  on  certification.  Yet 
those  same  people  are  certified: 
They  don’t  want  to  fall  behind 
their  peers  or  lose  job  opportuni¬ 
ties  just  because  of  an  acronym 
(or  the  lack  thereof). 


Not  all  security  certifications  are  worth  the  paper  they’re  printed  on.  “There 
are  definitely  certs  where  you  just  mail  it  in,”  says  CISO  Lew  Wagner. 


Equitable  and 
Reputable 

All  the  hype  about  certification 
certainly  isn’t  hurting  organiza¬ 
tions  like  SANS  and  ISC2  or 
training  companies  like  Learning 
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Security  Certification 


Ready,  Set...Certify! 


PREPARING  FOR  a  security  certification 
exam  is  a  lot  like  studying  for  the  SAT.  The 
first  step  for  a  CISSP,  for  example,  is  to  make 
sure  you  fulfill  the  qualification  requirements: 
three  years  of  professional  security  experi¬ 
ence,  completion  of  an  agreement  that  attests 
to  that  experience,  and  a  legal  commitment  to 
the  CISSP  code  of  ethics. 

Once  that’s  done,  you  reserve  a  seat  to 
take  the  exam  by  sending  your  $450  exam 
fee  to  ISC2.  Then  the  real  work  begins.  Like 
most  other  standardized  aptitude  tests  out 
there,  you  can  sign  up  for  a  preparation 


course.  What's  unusual  about  security  certifi¬ 
cation  is  that  most  of  the  certifying  bodies 
also  offer  training  for  the  certifications  they 
issue.  You  can  take  a  Certified  Book  of  Knowl¬ 
edge  (CBK)  review  seminar  through  ISC2  (the 
exam  is  based  on  the  CBK),  or  you  can  take  a 
prep  course  independent  of  ISC2.  Recently 
SANS  began  offering  training  for  the  CISSP. 
There  are  unofficial  CISSP  "boot  camps”  that 
claim  to  prepare  candidates.  And  there  are 
whole  libraries  worth  of  test  prep  books, 
online  courses  and  old  exams  to  study.  Some 
people  are  natural  test-takers  and  some 


aren’t,  so  the  extent  and  cost  of  training 
varies  from  a  week  to  more  than  a  month. 

Come  the  day  of  the  exam,  you’ll  have  six 
hours  to  complete  250  multiple-choice  ques¬ 
tions  on  10  different  areas  of  security.  If 
you’re  among  the  70  percent  who  pass,  you 
must  then  submit  an  endorsement  form  from 
a  certified  CISSP,  and  you  may  be  chosen  at 
random  to  have  your  application  audited  for 
authenticity.  If  you  manage  to  get  through  all 
that,  you  get  a  lovely  piece  of  paper  that  you 
can  frame  and  hang  on  your  wall  (and  proba¬ 
bly  a  hefty  raise  as  well).  -S.K. 


Tree  International,  which  make  most  of  their  money  from  certification 
preparation  courses.  The  exams  usually  cost  $200  or  less,  while  train¬ 
ing  classes  to  prepare  for  the  exams  tend  to  be  around  $3,000  (see 
“Now  I  Know  My  ABCs,”  Page  40). 

Controversial  “boot  camps”  are  emerging  to  offer  CISSP  candidates 
a  cheaper  way  to  prepare  for  the  exams,  and  ISC2,  for  one,  isn’t  happy. 
The  camps  allegedly  use  actual  material  from  the  test  and  encourage 
participants  to  he  about  their  work  experience  on  their  exam  applica¬ 
tion,  according  to  Marc  Thompson,  vice  president  of  ISC2.  Both  prac¬ 
tices  threaten  the  integrity  of  the  certification  itself,  he  says. 

To  prevent  such  finagling  around  the  rules,  ISC2,  SANS  and  other 
certifying  bodies  such  as  the  Association  of  Certified  Fraud  Examin¬ 
ers  are  making  it  harder  for  prospective  certification  candidates  to 
qualify  for  the  exams.  Most  tests  now  require  a  minimum  of  three  years’ 
experience  and  the  test-taker  must  sign  a  code  of  ethics,  which  is  like 
a  security  version  of  the  Hippocratic  oath.  ISC2  now  requires  candi¬ 
dates  to  be  endorsed  by  another  CISSP  so  that  they  can  check  refer¬ 
ences,  and  it  enforces  random  audits  of  applications. 

Still,  not  all  certifications  are  worth  the  paper  they’re  printed  on.  Few 
CSOs  are  willing  to  peg  the  flimsy  certifications  by  name,  but  they  do 
admit  to  their  existence.  “There  are  definitely  certs  where  you  just 
mail  it  in,”  Wagner  says. 

The  chaotic  state  of  certification  has  spurred  some  to  action.  Frank 
Reeder,  chairman  of  the  Center  for  Internet  Security,  is  working  with 
the  heads  of  SANS,  ISC2,  ISACA  and  others  to  discuss  the  formation 
of  a  governing  body  akin  to  the  American  Bar  Association  that  would 
establish  benchmarks  in  security'  education  and  certification.  The  idea 
is  still  in  the  embryonic  stages,  Reeder  says,  but  he  wants  an  organi¬ 
zation  that  can  accredit  certifications  and  set  technical  specifications 
for  education.  “You  can  become  certified  by  passing  an  exam  and  writ¬ 
ing  about  your  experience.  That’s  just  not  sufficient  to  prove  that 
you’re  qualified,”  he  says.  “We  want  to  elevate  the  standards  and  give 
people  with  certifications  a  better  tool  in  the  marketplace.” 


Reeder  wants  to  set  basic  criteria  for  certification  that  includes 
training  independent  from  the  agency  offering  certification;  the  test¬ 
ing  itself;  substantial  practical  experience  along  the  lines  of  required 
flying  hours  for  pilots;  required  continued  education;  and  independ¬ 
ently  monitored  standards  for  ethical  behavior.  Currently,  certifying 
organizations  are  usually  the  only  venue  through  which  candidates  can 
train  for  exams,  which  opens  up  some  questions  of  integrity. 

“If  they  offer  training  and  certification,  then  it  becomes  a  market¬ 
ing  device,  not  an  independent  process,”  Reeder  says.  For  example,  if 
you  pay  to  train  for  the  CFE  and  you  don’t  pass  the  test,  the  ACFE  will 
either  refund  your  money  or  allow  you  to  take  the  test  again. 

Reeder’s  efforts  have  already  reaped  results.  SANS  and  ISC2  recently 
announced  a  training  program  in  which  SANS  will  teach  ISC2’s  Com¬ 
mon  Body  of  Knowledge  as  well  as  essential  technical  security  skills 
during  training  for  the  GSEC  certification.  Students  can  then  take 
either  the  GSEC  or  the  CISSP.  The  move  is  the  industry’s  first  step 
toward  making  certification  more  equitable  and  reputable. 

Until  the  hype  surrounding  certification  subsides,  CSOs  need  to 
decide  where  to  draw  the  line  when  it  comes  to  balancing  experience 
and  certification.  That  call  will  be  easier  to  make  in  a  year  or  two 
when  the  big-name  certifications  start  requiring  candidates  to  have  four 
and  five  years  of  experience  prior  to  taking  exams.  But  even  then  you’ll 
need  to  make  thoughtful,  informed  hiring  decisions  that  don’t  exclude 
security  veterans  who  aren’t  certified.  If  you  take  the  time  to  learn  what 
each  certification  entails,  you  can  avoid  spending  training  dollars  on 
useless  certifications,  and  you  won’t  be  overwhelmed  by  the  lineup  of 
acronyms  on  anyone’s  resume.  ■ 

Staff  Writer  Simone  Kaplan  can  be  reached  at  skaplan&cxo.com. 


Are  certifications  a  valid  mark  of  a  person’s  skill  and  knowledge  level,  or  are 
they  just  resume  fluff?  Go  online  and  visit  TALK  BACK  to  tell  us  what  you 
think.  Go  to  www.csoonline.com/printlinks. 
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IT’S  NOT  OFTEN 
BUSINESS  GETS  A 
LESSON  IN  EFFICIENCY 
FROM  GOVERNMENT. 


OUT  YOUR  NOTEPAD.. 


PrICEWATeRHOUsEQoPERS 
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Without  dismantling  any  system  or  disrupting  any  department,  we  delivered  security,  access  management  and  ROI  to  one  state  government. 
Skeptical?  So  was  the  state  government  until  they  launched  our  Identity  Management  solution.  Want  to  discover  the  kind  of  ROI  your 
organization  can  receive?  Schedule  a  free  assessment  with  our  proprietary  Identity  Management  Value  Calculator  ToolSM  and  learn  how  you 
can  save  time,  money  and  resources.  Call  (800)  639-7576  or  visit  www.pwcglobal.com/roi.  Write  it  down. 


BOB  DEGEN,  senior  vice 
president  for  corporate 
security  of  First  Data, 
hopes  he  can  restrain 
executives  from  using 
insecure  WLANs. 
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They’re  here,  they’re  insecure, 
and  they’re  gaining  a  foothold 
in  your  enterprise. 

How  do  you  restore  order  without 
simply  squashing  these  pests? 


GROWING  UP,  A  FRIEND  OF  mine  would  cite  entropy  as 
the  reason  for  never  cleaning  her  room.  After  all,  if  the  universe 
inexorably  trends  toward  chaos  and  all  systems  eventually  dis¬ 
solve  into  disorder,  what’s  the  point  of  picking  up  a  T-shirt  or 
putting  away  a  board  game?  It  was  an  ingenious,  if  usually  inef¬ 
fective,  application  of  scientific  theory.  It’s  also  one  that  I  suspect 
many  CSOs  can  relate  to  as  they  confront  the  growing  complexity 
of  new  technologies  and  its  anarchic  effect  on  their  best-laid  secu¬ 
rity  plans. 

Historically,  the  discovery  of  new  security  vulnerabilities  has 
always  outpaced  the  CSO’s  ability  to  respond,  but  CSOs  are  now 
forced  to  play  catch-up  on  a  sec¬ 
ond  front  as  well.  Not  only  are 
hacking  tools  and  exploits  lap¬ 
ping  the  security  organization’s 
efforts,  the  rapid  development  of 
presumptively  useful  technology 


IN  THIS  STORY:  Four 
hot  IT  trends  and  the  security 
holes  they  create  *  Tactics 
for  minimizing  risk  while 
using  these  new  technologies 
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is  itself  leaving  CSOs  scrambling  to  maintain 
order.  Instant  messaging  (IM)  and  file-sharing 
programs  proliferate  almost  virally,  disguising 
themselves  as  Web  traffic  to  zoom  through 
firewalls  unimpeded;  and  employees  with  the 
high-tech  itch  frequently  purchase  their  own 
PDA  and  wireless  local  area  network  (WLAN) 
to  access  the  corporate  network  with  little 
thought  to  the  security  consequences.  The 
CSO’s  challenge:  to  exert  some  semblance  of 
control  over  all  this  chaos. 

In  this  story  we  take  a  look  at  four  tech¬ 
nologies  that  security  organizations  have  admit¬ 
ted  to  struggling  with.  CSO  talked  to  chief 
security  officers  and  industry  experts  about  the 
security  and  management  challenges  these 
technologies  present  and  gleaned  their  best 
advice  for  reining  in  the  chaos  and  balancing 
the  business  benefits  of  technology  with  the 
necessary  controls  of  a  solid  security  strategy. 

The  majority  of  these  technologies  illus¬ 
trate  a  frightening  truism  for  CSOs:  The  con¬ 


cept  of  the  perimeter  is  dissolving.  The  idea 
that  you  could  build  a  wall  and  control  every¬ 
thing  on  the  inside  and  keep  disruptive  ele¬ 
ments  on  the  outside  has  fallen  from  favor. 
The  Web— that  original  disruptive  applica¬ 
tion— is  now  pervasive.  CSOs  need  to  find 
ways  to  assert  some  control.  Good  security  is 
not  about  secure  technologies;  it’s  about  good 
administration,  effective 
policy  development,  smart 
risk  management  and  con¬ 
sistent  auditing  to  test 
against  the  objectives. 

The  problem  in  all  these 
cases  is  that  when  business 
units  or  executives  become 
enamored  of  a  particular 
technology,  many  CSOs  lack 
the  mandate  to  deny  it  to 
them.  Security  executives 
have  a  fine  line  to  walk.  You 
will  see  that  some  CSOs  are 


able  to  issue  blanket  bans  on  technologies  while 
others  must  negotiate  a  compromise  with  busi¬ 
ness  users.  Chris  Byrnes,  a  vice  president  and 
analyst  who  tracks  security  for  the  Meta  Group, 
suggests  that  CSOs  take  the  tack  of  evaluating 
technologies  in  terms  of  how  they  serve  the 
needs  of  the  business,  and  then  find  the  balance 
between  achieving  a  business  benefit  and 
achieving  good  security.  “It  has 
to  be  dynamic;  it  has  to  be 
negotiated,”  says  Byrnes.  “Secu¬ 
rity  officers  who  try  to  dictate  to 
the  business  what  they  can  and 
can’t  use  are  not  going  to  keep 
their  jobs.” 

In  the  spirit  of  career  long¬ 
evity  enhancement,  then,  we 
offer  this  quartet  of  nettlesome 
technologies  and  some  coping 
strategies  for  keeping  them  in 
order. 


WEB  SERVICES 


■  Educate  your  developers  about 
the  security  risks  posed  by 
Web  services  and  the 
preventative  measures  they 
should  take  in  their  work. 

■  Ensure  that  the  security  team 
stays  informed  about  and 
involved  with  application 
development  projects  across 
the  company. 


BILL  SPERNOW,  CISO 
for  the  Georgia  Student 
Finance  Commission, 
tries  to  eliminate  security 
problems  by  sending  his 
programmers  to  hacking 


courses. 


Grill  vendors  regarding  the 
security  architecture  of  any 
product  or  technology  that  is 
likely  to  be  interconnected 
via  a  Web  service. 


Web  Services 

Commerce  is  about  letting 
people  in,  not  keeping  people 
out,  so  it  shouldn’t  be  surpris¬ 
ing  that  the  latest  trend  in 
technology  creates  a  pipeline 
right  through  the  firewall  into  some  of  your 
company’s  most  sensitive  applications— all  in 
the  name  of  cost  savings  and  efficiency. 

But  it’s  not  people  who  are  being  admitted 
into  the  sanctum;  it’s  bits  of  executable  code 
made  available  using  Web  services.  Web  serv¬ 
ices  are  Web-based  applications  that  use  open 
standards  such  as  SOAP  (simple  object  access 
protocol),  XML  and  HTTP  to  glue  together 
different  computer  systems  and  applications 
that  otherwise  would  not  be  able  to  commu¬ 
nicate.  That  allows  companies  to  build  dis¬ 
tributed  Web  applications  and  to  take 
advantage  of  services  already  out  on  the  Inter¬ 
net  instead  of  having  to  build  their  own.  For 
example,  if  company  A  wants  to  build  a  travel 
site  for  its  employees  and  company  B  hap¬ 
pens  to  have  a  terrific  vacation  booking  serv¬ 
ice,  A  can  build  its  site  using  B’s  booking 
feature  instead  of  having  to  spend  time  and 
money  building  its  own.  Web  services  allow 
those  disparate  Web  applications  to  talk  to 
one  another,  presenting  what  appears  to  be  a 
cohesive  whole  to  the  user. 

However,  while  Web  services  may  offer 
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enormous  opportunities  for  improved  effi¬ 
ciency,  it  also  raises  huge  concerns  for  CSOs 
who  suddenly  find  that  they  have  some  of  their 
most  critical  applications  hanging  out  on  the 
Internet  unsecured.  Because  those  apps  have 
so  many  lines  of  code  and  are  generally  not 
written  with  security  in  mind,  they  are  among 
the  most  difficult  IT  assets  to  secure.  The 
problem  is  compounded  by  the  fact  that  CSOs 
often  don’t  know  about  Web  services  projects 
until  they  are  well  along  or  completed,  and 
because  these  applications  that  are  being 
stitched  together  have  their  own  individual 
security  attributes,  which  can  be  uneven  at 
best  and  in  some  cases  rife  with  holes.  “People 
are  going  to  Web  services  to.get  faster  delivery 
and  completion  of  applications,”  says  Byrnes. 
“So  you  can  see  that  while  the  developer  could 
increase  his  workload  by  building  in  security 
[up  front],  the  tendency  is  not  to  do  that.” 

Earlier  this  year,  Adrian  Lamo,  a  so-called 
white-hat  hacker,  hacked  his  way  into  a  Web 
service  on  The  Nezv  York  Times  intranet. 
During  that  escapade  he  was  able  to  access  a 
number  of  the  company’s  databases,  including 
one  that  contained  the  Social  Security  and 
home  phone  numbers  for 
3,000  of  the  paper’s  op-ed 
contributors— among  them 
actor  Robert  Redford, 
commentator  Rush  Lim- 
baugh,  former  President 
Jimmy  Carter  and  even  hip- 
hop  artist  Queen  Latifah. 

Though  Lamo  revealed  the 
flaw  to  The  Times  rather 
than  selling  the  information, 
imagine  the  repercussions  if 
an  individual  with  malicious 
motives  took  a  similar  stroll 
through  your  company’s 
most  valuable  data. 

It’s  a  problem  that  Bill 
Spernow,  CISO  for  the  Geor¬ 
gia  Student  Finance  Com¬ 
mission  (GSFC),  has  tried  to 
minimize  by  ensuring  that 
security  is  top-of-mind  among  his  organiza¬ 
tion’s  developers.  “I  would  classify  middleware 
right  now  as  the  most  unexplored  security  risk 
that  most  corporations  and  agencies  have  in 
their  infrastructures,”  says  Spernow,  noting 
that  there  are  no  tools  available  to  explore  the 
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PAUL  CLARK,  chief  security 
and  privacy  executive  at 
EDS,  wanted  to  confine 
instant  messaging  use  in 
his  company  but  met  with 
so  much  resistance  he 
had  to  rethink  the  ban. 


Educate  your  users  of  the 
dangers  posed  by  IM  and 
file-sharing  programs. 


Evaluate  the  risks— and 
potential  benefits— posed 
by  IM  and  file-sharing  tech¬ 
nologies  within  your  company 
and  decide  whether  you  want 
to  ban,  regulate  or  allow 
their  use. 


imf; 


For  enterprises  in  which  IM 
and  file  sharing  have  become 
business  necessities,  CSOs 
should  investigate  an  intranet 
or  extranet-based  program 
that  will  allow  for 
secure  communication. 


coding  structure  for  holes  and 
no  ability  to  monitor  proces¬ 
ses  to  know  when  a  security- 
based  problem  occurs.  His 
solution  has  been  to  send 
GSFC  programmers  through 
hacking  courses  in  order  to 
make  them  aware  of  the  var¬ 
ious  security  vulnerabilities 
that  they  can  create  in  their 
work  and  to  show  them  how 
those  holes  are  exploited. 

Later,  that  knowledge  is  also 
shared  with  the  remaining  staff. 

To  avoid  nasty  surprises,  Ted  Doty,  director 
of  product  management  with  Okena,  an  intru¬ 
sion  prevention  software  vendor,  suggests  that 
CSOs  be  aggressive  about  staying  informed. 
“I’d  get  my  nose  in  all  those  meetings  with  the 


server  guys,”  he  says.  “What  are  they  doing 
about  the  next  big  generation  of  SOAP  and 
XML?  Are  they  even  thinking  about  security? 
You’ve  got  to  get  involved  in  all  these  discus¬ 
sions  before  you  wake  up  and  find  [some  new 
application]  out  there  on  10,000  machines.” 

Peer  to  Peer 

As  with  Web  services,  the  danger  of  peer-to- 
peer  technologies— applications  in  which  users 
can  use  the  Internet  to  exchange  files  with 
each  other  directly  or  through  a  mediating 
server— is  that  they  cruise  right  through  the 
firewall.  However,  the  problem  is  complicated 
by  the  fact  that  the  CSO  isn’t  just  dealing  with 
a  relatively  small  team  of  Web  developers;  he’s 
trying  to  affect  the  behavior  of  every  employee 
in  the  company.  It’s  a  situation  that  EDS’s 
London-based  Chief  Security  and  Privacy 
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Executive  Paul  Clark  is  all  too  familiar  with. 

In  May,  Clark  sent  out  a  memo  to  all 
employees  serving  notice  that  the  company 
would  begin  blocking  access  to  all  Internet 
instant  messaging  sites  because  of  the  security 
risks  IM  poses  to  the  company’s  network  and 
its  clients.  Within  a  week,  Clark  had  to  modify 
the  ban.  Executives  who  had 
been  using  IM  as  a  cheap, 
high-touch  means  of  com¬ 
municating  with  customers 
balked  at  the  ban.  Moreover, 
the  cost  of  securing  IM  traf¬ 
fic  was  found  to  be  prohibi¬ 
tively  high.  In  light  of  these 
realities,  Clark  had  to  rethink 
an  outright  ban. 

Many  file-sharing  appli¬ 
cations,  such  as  Napster  and 
Gnutella,  and  IM  programs, 
such  as  AOL  Instant  Mes¬ 
senger  and  MSN  Messenger, 
are  designed  to  actively  sub¬ 
vert  the  firewall  and  other 
security  controls  that  organ¬ 
izations  have  put  in  place. 

“These  apps  are  usually  writ¬ 
ten  in  such  a  way  that 
they’re  very  determined  to 
get  the  message  through, 
says  Shawn  Hernan,  team  leader 
for  vulnerability  handling  at  The 
CERT  Coordination  Center.  “In  most 
instances  they  don’t  provide  any 
security  of  the  message, 
don’t  protect  it  from  • 
observation  in  travel; 
there’s  no  integrity,  no  privacy, 
no  digital  signatures.”  The  programs 
tend  to  be  installed  by  the  nonsecu¬ 
rity  conscious  (read:  your  average 
employee),  and  applications  are  fre¬ 
quently  out  of  date,  contain  a  range  of 
vulnerabilities  and  create  a  situation  for  CSOs 
in  which  an  unknown  number  of  messages 
traverse  their  networks  in  clear  text.  This  is  a 
security  executive’s  nightmare. 

In  order  to  work  effectively,  IM  needs  to 
pass  through  open  ports.  So  IM  systems  wrap 
communications  up  to  look  like  Web  traffic, 
enabling  them  to  enter  the  port  unnoticed  by 
the  firewall  or  virus-scanning  software.  That 
makes  IM  susceptible  not  only  to  viruses  but  to 


social  engineering  tactics.  Users  are  tricked  into 
downloading  malicious  software  that  lets 
intruders  use  their  systems  as  a  platform  for 
launching  denial-of-service  attacks. 

Security  vendors  have  come  up  with  a  num¬ 
ber  of  possible  solutions  to  the  IM  problem. 
Some  vendors,  such  as  IM-Age  Software,  add  a 
layer  of  authentication  and 
encryption  to  public  services 
like  Yahoo  and  MSN  Mes¬ 
senger.  Others,  such  as  Jab¬ 
ber,  offer  their  own  IM 
platforms  that  can  be  used 
alone  or  with  public  IM  serv¬ 
ices,  as  well  as  dedicated  IM 
servers  that  companies  can 
deploy  and  manage  behind 
their  own  firewalls.  So  CSOs 
must  consider  whether  they 
want  to  control,  ban,  regu¬ 
late  or  simply  endure  the 
risks  posed  by  IM  and  file 
sharing. 

But,  as  Clark  learned, 
once  you’ve  let  the  kids  into 
the  candy  store,  it’s  not  so 
easy  to  get  them  out.  EDS 
decided  to  designate  its  own 
secure  port  for  IM  services  and 
to  limit  the  program’s 
use  only  to  certain  in¬ 
dividuals  with  a  high 
need  for  IM  capabili¬ 
ties;  all  other  access  to  IM  and  non- 
EDS  file-sharing  programs  is 
blocked.  “It’s  not  a  nega¬ 
tive  thing,”  says  Clark  of 
the  IM  trend.  “It’s  what 
the  information  world  is  about. 
Everyone’s  clamoring  for  freedom  of 
access  to  information.  But  it  has  to  come 
with  controls.” 

For  companies  that  do  want  to  block 
rather  than  regulate  IM,  it’s  not  always  that 
easy.  IM  and  file-sharing  programs  are  being 
designed  with  increasing  intelligence  and 
cloaking  skills.  They  can  masquerade  under 
different  protocols  and  test  different  ports  until 
they  find  one  that  will  let  them  in.  Short  of  a 
total  ban,  the  best  thing  that  a  CSO  can  do  is 
to  help  users  understand  why  these  products 
can  be  dangerous. 

CISO  Spernow  has  mandated  that  every 


WIRELESS 


■  Use  what  you  have.  Even  the 
most  basic  security  controls 
such  as  WEP  are  better  than 
no  controls  at  all. 

■  Implement  end-to-end  encryp¬ 
tion  with  a  virtual  private 
network  (VPN). 

■  Create  detailed  security 
policies  that  outline  the  appro¬ 
priate  use  of  wireless  devices. 
Then  educate  users  on  the 
security  risks  they  can  pose. 

■  If  wireless  access  is  deemed 
a  corporate  necessity,  look 
into  WLAN  products  that  have 
proprietary  security  systems. 


new  nonprogramming  employee  at  his  organ¬ 
ization  must  undergo  four  hours  of  computer 
crime  and  hacking  awareness  training  so  that 
they  can  understand  the  drivers  behind  com¬ 
puter  crime  and  how  their  own  behavior  can 
contribute  to  the  problem. 

Hernan,  too,  suggests  an  active  rather  than 
passive  approach.  “Clearly  articulate  your  pol¬ 
icy,  don’t  just  let  [violations]  happen,  and  be 
forced  to  respond,”  he  says.  As  with  many  of 
these  technologies,  forming  a  policy  around 
IM  and  file  sharing  is  essentially  a  risk- 
management  decision.  CSOs  must  decide  what 
level  of  risk  they  are  willing  to  accept  in 
exchange  for  what  degree  of  enhanced  business 
value.  Based  on  that  they  should  make  the  call 
and  then  educate  users  about  it. 

Wireless 

A  lot  has  been  written  about  the  security  flaws 
of  wireless  networks,  and  you’ve  probably 
heard  the  tales  of  the  enterprising  hacker  who 
can  sit  on  a  park  bench  in  the  heart  of  the 
financial  district  and  tap  into  dozens  of  wire¬ 
less  networks.  But  for  CSOs  the  challenges  of 
wireless  are  only  getting  larger  as  the  holes  in 
security  go  unpatched,  and  employees  either 
demand  greater  wireless  connectivity  or  sur¬ 
reptitiously  achieve  it  on  their  own. 

“Wireless  is  robustly  insecure,”  says  Bruce 
Schneier,  author,  cryptographer  and  CTO  of 
Counterpane  Internet  Security,  a  security- 
management  service  provider.  “The  only  way 
to  look  at  wireless  is  to  assume  that  it’s  com¬ 
pletely  insecure.” 

Bob  Degen  is  the  former  supervisor  of  the 
financial  crimes  unit  for  the  U.S.  Secret 
Service,  where  he  additionally  served  on  pro¬ 
tective  detail  for  presidents  Nixon,  Reagan 
and  Bush.  Currently  he  is  senior  vice  president 
for  corporate  security  of  First  Data  (the  par¬ 
ent  company  of  Western  Union),  where  he 
has  seen  proof  of  wobbly  wireless  security.  A 
high-placed  executive  at  the  company  bought 
himself  a  WLAN  and,  despite  Degen’s  numer¬ 
ous  warnings  about  the  security  problems, 
was  bound  and  determined  to  use  it.  After  a 
business  trip  to  Paris,  he  came  to  Degen  and 
apologized  for  having  ignored  his  warnings. 
The  executive  sheepishly  went  on  to  explain 
that  he  had  been  on  his  WLAN  in  the  hotel, 
had  turned  it  off,  but  was  puzzled  when  a  light 
indicated  that  he  was  still  connected  to  the 
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network.  It  turned  out  that  a  guy 
two  rooms  down  had  been  on  a 
WLAN  as  well  and  the 
lines  had  gotten 
crossed.  Each  had 
become  connected  to 
the  other  company’s  LAN,  and 
the  light  was  on  because  the  other  guy  was 
still  on  First  Data’s  network. 

The  standard  security  protocol  for  wireless 
is  WEP  (wired  equivalent  privacy),  and  since 
its  release  in  1997  a  number  of  flaws  have 
been  found  that  allow  anyone  with  the  right 
tools  to  break  the  encryption.  Even  the  exam¬ 


ple  of  the  hacker  on  the 
park  bench  is  out  of 
date.  By  using  in¬ 
creasingly  powerful 
receivers  and  trans¬ 
mitters,  it’s  now  pos¬ 
sible  to  break  into  a 
wireless  network  from  as  far  as 
10  miles  away.  According  to  one  vendor,  a 
telecom  customer  that  realized  its  exposure 
even  went  so  far  as  to  put  special  windows 
into  its  new  facility  to  block  transmitters  and 
protect  internal  wireless  communications.  It 
had  to  evaluate  up  to  six  window  systems 


KEVIN  DICKEY,  CISO 
of  Contra  Costa  County, 
is  taking  a  swipe  at  PDAs 
by  developing  policies 
to  govern  their  use. 
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Include  the  appropriate  use 
of  PDAs  and  cell  phones  in 
your  corporate  security 
policy. 

Educate  employees  about  the 
security  vulnerabilities  of 
communicating  and  storing 
data  on  mobile  devices. 

Consider  making  wireless 
technologies  a  corporate 
asset  by  purchasing  and 
securing  them  for  users  so 
you  have  more  control. 


before  it  found  one  it  couldn’t  transmit  across. 
But  for  most  companies,  security-driven  win¬ 
dow  replacement  is  an  unattainable  and 
expensive  luxury. 

This  is  not  the  only  problem  that  wireless 
presents.  Like  Degen’s  executive  who  was 
determined  to  use  his  wireless  LAN  out  of  the 
office,  employees  can  easily  set  up  their  own 
WLAN  access  points  within  the  company 
walls.  WLANs  use  wireless  network  cards  and 
small  boxes— the  size  of  a  CD  drive— as  net¬ 
work  access  points.  They  can  easily  be  tucked 
in  a  drawer  or  under  a  desk.  Whether  they 
are  set  up  by  an  employee  who  wants  to 
e-mail  during  meetings  or  by  a  hacker  looking 
to  establish  24/7  access  to  your  network,  it  is 
virtually  impossible  for  CSOs  to  find  them. 

While  security  experts  such  as  Schneier  con¬ 
tend  that  wireless  will  never  be  secure,  others 
see  hope.  ‘Well-implemented  end-to-end  cryp¬ 
tography  or  a  virtual  private  network  offers 
strong  protection  against  certain  kinds  of 
attacks,”  says  Hernan.  While  he  cautions  that 
there  are  other  kinds  of  attacks  for  which  these 
solutions  may  not  work,  he  believes  that  “most 
organizations  would  be  well  served  to  use  end- 
to-end  security  or  a  VPN  as  part  of  a  strategy  for 
securing  a  wireless  network.”  The  biggest  prob¬ 
lem  with  wireless  security  systems  is  that  many 
companies  aren’t  bothering  to  use  them.  An 
informal  2001  Gartner  survey  found  that  more 
than  60  percent  of  companies  operating  wire¬ 
less  networks  didn’t  even  have 
WEP— the  most  basic  security  that 
comes  packaged  with  a  wireless 
LAN— turned  on. 

But  one  thing  that  CSOs  need 
to  educate  their  executives  about 
is  that  while  it  is  possible  to  con¬ 
ceal  specific  content,  the  fact  that 
person  X  is  having  a  conversation 
with  person  Y  can’t  be  hidden. 
This  creates  a  scenario  similar  to 
one  in  which  White  House  re¬ 
porters  see  20  pizzas  being  deliv¬ 
ered  to  the  West  Wing  at  2  a.m. 
and  conclude  that  something  big 
is  brewing.  At  times,  the  very  fact 
that  communication  is  taking 
place  at  all  can  become  a  security' 
breach.  For  example,  a  flurry  of  text  messages 
between  execs  at  two  rival  banks  could  signal 
that  a  long-rumored  merger  is  in  the  works. 


PHOTO  BY  JAY  BLAKESBERG 


October  2002  www.csoonline.com  49 


Securing  the  Infrastructure 


Although  CSOs  can  control— or  at  least  have 
significant  input  into— company-sponsored 
wireless  installations,  the  greater  vulnerability 
may  come  from  employees,  like  Degen’s  exec¬ 
utive,  who  go  out  and  set  themselves  up  on 
wireless.  While  it  is  a  must  to  create  and 
enforce  strong  policies,  Degen  also  advocates 
a  touch  of  humiliation  as  an  effective  deterrent. 
“I  didn't  get  to  where  I  was  because  I’m  such  a 
persuasive  guy,”  he  says.  “We  have  a  saying  in 
my  group  that  ‘adversity  is  my  friend.’  When 
something  bad  happens,  jump  on  it,  make  a  big 
example  out  of  it,  don’t  hide  it.”  When  a  bank 
or  government  group  comes  in  and  gives  First 
Data  a  bad  security  audit,  Degen  believes  in 
making  it  public  within  the  organization  to 
increase  the  pressure  on  business  units  and 
employees  that  might  be  tempted  to  ignore  a 
security  mandate.  “Look  at  what’s  at  risk,”  he 
says.  “Take  advantage  of  bad  things  and  parlay 
them  into  as  much  as  you  can  get.” 

Many  CSOs  might  be  horrified  at  the  idea 


dial  security  class  for  all  his  people,  and  it’s 
going  to  be  long  and  gruesome.” 

Portables 

PDAs  and  cell  phones  are  becoming  central 
tools  in  the  organizational  communications 
infrastructure.  And  as  the  computing  power  of 
these  devices  has  increased,  CSOs  have  seen 
the  big  security  wall  around  their  systems 
crumble.  Now  they  struggle  with  the  problem 
of  how  to  control  the  usage  and  ensure  the 
security  of  these  new  digital  mobile  assets. 

The  ease  of  use  and  mobility  of  portable 
devices  have  increased  dramatically  in  the 
past  five  years,  but  as  Byrnes  points  out,  that’s 
not  always  a  good  thing.  “Data  stored  on  any 
handheld  device  is  even  more  mobile  than  a 
stolen  laptop,”  he  says.  “For  devices  that  com¬ 
municate  via  wireless,  the  ability  to  steal  or 
alter  the  data  is  a  significant  risk.”  The  solution 
is  encryption,  he  says.  “If  critical  data  must  be 
stored,  it  must  be  encrypted;  and  if  critical 


Union  has  9  billion  transactions  per  month. 
What  if  somebody  was  listening  to  those?” 

At  EDS,  Clark  has  dealt  with  the  issue  by 
ensuring  that  every  system  that  dials  in  to  the 
network— whether  it’s  a  home  PC  or  a  PDA— 
gets  an  automatic  download  of  virus  control 
software.  By  putting  controls  at  the  access 
points,  Clark  can  cut  off  any  messages  that 
might  contain  a  virus. 

As  CISO  of  Contra  Costa  County  in  Cali¬ 
fornia,  Kevin  Dickey  has  the  added  burden  of 
not  only  protecting  these  devices  but  ensuring 
that  taxpayer  funds  aren’t  being  wasted  when 
they’re  bought.  He  is  now  in  the  process  of 
working  with  all  the  county’s  department 
heads  and  elected  officials  to  develop  a  policy 
that  governs  their  use— a  process  that  he 
knows  won’t  earn  him  any  friends.  As  in  other 
organizations,  the  problem  in  Contra  Costa 
County  is  that  many  employees  purchase  PDAs 
themselves.  Consequently,  there’s  no  way  for 
Dickey  to  know  how  they’re  being  used  or  what 


“Allowing  employees  to  put  business  assets 
on  a  PDA  gives  me  heartburn  from  a 

security  perspective.” 

-KEVIN  DICKEY,  CISO,  CONTRA  COSTA  COUNTY 


of  tarnishing  their  own  reputation  within  the 
company  by  exposing  security  flaws,  but 
Degen  plays  the  strong  security  mandate  he’s 
been  given  for  all  its  worth.  When  it  was 
recently  discovered  that  a  facilities  executive 
was  flouting  the  company’s  security  policy  by 
letting  his  employees  use  a  loading  dock  door 
instead  of  the  employee  card-reader  turnstiles, 
Degen  organized  a  sting  operation.  He  asked 
an  employee  from  the  company’s  Tulsa,  Okla., 
office  (a  stranger  at  the  company’s  Colorado 
headquarters)  to  piggyback  on  facilities 
employees  going  in  and  out  through  the  dock 
doors.  Time  after  time  employees  let  him  in, 
even  though  nobody  knew  who  he  was.  Degen 
wrote  up  a  ticket  for  every  violation. 

“I’m  going  to  take  all  30  of  these  tickets  and 
throw  them  on  [the  facilities  executive’s] 
desk,”  he  says.  ‘Then  I'm  going  to  hold  a  reme- 


data  must  be  communicated,  it  must  be 
strongly  encrypted.” 

However,  the  current  generation  of  hard¬ 
ware  devices  is  not  powerful  enough  to  sup¬ 
port  strong  encryption,  and  only  in  late  2002 
will  a  new  generation  of  devices  hit  the  mar¬ 
ket  with  a  processor  architecture  robust 
enough  to  be  truly  secure. 

That  offers  little  hope  for  CSOs  whose 
enterprises  are  already  flooded  with  these 
devices.  Frustrated  with  the  lack  of  security, 
Degen  ruled  that  employees  could  not  use 
PDAs  and  wireless  modems  to  connect  to  First 
Data’s  systems.  He  notes  that  the  decision  is 
still  a  sore  point  with  executives  but  was  nec¬ 
essary  because  the  company  handles  too  much 
sensitive  information  to  allow  those  kinds  of 
holes  to  exist.  “All  we  need  is  to  lose  373  mil¬ 
lion  credit  card  numbers,”  he  says.  “Western 


kind  of  information  is  being  loaded.  “Allowing 
employees  to  put  county  assets  on  a  PDA  gives 
me  heartburn  from  a  security  perspective,” 
says  Dickey. 

If  economically  feasible,  one  heartburn- 
avoidance  strategy  would  be  for  companies 
to  provide  the  devices  to  employees  as  a  means 
of  gaining  an  added  layer  of  control.  That  way 
the  CSO  can  make  sure  all  such  devices 
include  appropriate  security  and  are  properly 
configured.  ■ 

Senior  Editor  Daintry  Duffy  can  be  reached  via  e-mail  at 
dduffy4cxo.com. 


Do  vulnerabilities  in  new  technologies  have  you 
reaching  for  Rolaids?  For  help,  visit  CSOonline’s 

STRATEGY  AND  MANAGEMENT  RESEARCH 
CENTER  at  www.csoonline.com/printlinks. 
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We  bought 

The  Wall  Street  Journal 
the  time  it  needed 


Systems  Integration 


to  make  history 


Outsourcing 


Infrastructure 


Server  Technology 


Consulting 


Imagine  it: 

A  world-renowned  authority  extending  its 
coverage  by  pushing  its  deadlines. 

The  Wall  Street  Journal  envisioned  a  system 
that  integrated  the  news  gathering  process 
to  print  at  the  last  possible  moment. 


Done:  f 

Unisys  integrated  a  large-scale  system  for 
shorter  lead  times.  And  its  deployment  was  the 
fastest  in  history  for  a  newspaper  project  of 
this  scope.  Unisys  bought  the  Journal  valuable 
extra  time  before  close,  and  shortened  time 
to  print  at  17  plants  in  the  US,  even  letting 
them  print  an  extra  edition. 


Systems  Integration  with  precision  thinking, 
relentless  execution  to  drive  your  vision  forward 


Imagine  it.  Done 
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MANAGEMENT  GURU 


PATRICK  LENCIONI 

Founder  and  president 
The  Table  Group 
Emeryville,  Calif. 

Lencioni  has  run  his 
management  consultancy  for 
five  years  while  also  penning 
several  books,  including  the 
best-seller  The  Five  Tempta¬ 
tions  of  the  CEO  and,  most 
recently,  The  Five  Dysfunc¬ 
tions  of  a  Team.  He  also 
writes  for  many  publications, 
including  the  Harvard 
Business  Review. 


SECURITY  PRO 


JOHN  HARTMANN 

Vice  president  of  security 
and  corporate  services 

Cardinal  Health 
Dublin,  Ohio 

Hartmann  spent  more  than 
a  decade  with  the  FBI, 
mostly  working  in  the  infor¬ 
mation  security  practice, 
before  going  to  Cardinal 
Health.  He  was  also  a  pro¬ 
gram  manager  for  the  FBI’s 
economic  espionage  unit. 
He  holds  a  law  degree  and 
manages  both  physical  and 
information  security  in  his 
current  position. 


(That’s  the  Hardest  Thing) 


IN  THIS  STORY:  Why 

consensus  is  bad  and  conflict 
is  good  How  to  engage  in 
constructive  debate  s  The 
key  to  managing  up 


Patrick  Lencioni  is  a  leading  management 
consultant  who  has  written  several  books 


and  appeared  in  the  Harvard  Business  Review.  John 
Hartmann  is  a  leading  security  practitioner  at 
Cardinal  Health.  CSO  brought  these  leaders 
together  to  tackle  the  tough  questions  on  a  tough 
problem:  effective  management  in  security. 
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GENERALLY,  CONSENSUS  IS  A 
WAY  OF  ENSURING  MEDIOCRITY. 

-PATRICK  LENCIONI,  PRESIDENT,  THE  TABLE  GROUP 


Management  Excellence 


hen  we  asked  Cardinal  Health’s  security  chief  John  Hartmann  whom  he’d  like 
to  see  us  interview,  we  weren’t  surprised  to  see  former  FBI  head  Louis  Freeh 
on  his  list.  But  we  were  surprised  to  see  Patrick  Lencioni.  Turns  out  Hartmann 
took  five  pages  of  notes  while  reading  The  Five  Temptations  of  the  CEO,  one  of  Lencioni’s 
books  on  effective  management.  What  questions  would  a  CSO  pose  to  a  management 
guru?  We  asked  Hartmann  to  do  the  interview  himself,  with  CSO  Senior  Writer  Scott 
Berinato  moderating.  Excerpts  from  the  conversation  follow. 


John  Hartmann:  Patrick,  the  CSO  deals  with 
a  slew  of  issues  that  aren’t  easily  communi¬ 
cated.  You’ve  said  that  often  things  aren’t 
necessarily  complicated,  but  people  make 
them  complicated. 

Patrick  Lencioni:  Right.  People  overcom¬ 
plicate  things  sometimes  because  they’re 
overeducated  or  because  they’re  looking  for 
a  silver  bullet  or  a  subtle,  sleek  solution  to 
a  problem,  when  what  is  really  needed  is 
consistent  mastering  of  some  simple  behav¬ 
iors  over  a  long  period  of  time.  Unfortu¬ 
nately,  when  it’s  simple,  people  sometimes 
get  bored  with  it,  and  they  think,  Well,  there 
must  be  something  more  here,  which  is 
difficult  to  prevent  from  happening.  So 
success  is  simple,  but  simplicity  is  difficult. 

The  best  companies  are  not  the  most 
intellectually  sophisticated  and  complex 
ones.  It’s  the  ones  that  have  the  courage 
to  make  things  simple.  Jack  Welch,  they 
said,  had  five  major  initiatives  in  25  years. 
Most  companies  have  five  major  initiatives 
every  quarter. 

CSO:  Is  security  particularly  vulnerable  to 
this  overcomplicating?  Technically  it  is 
quite  complicated,  even  if  management  of  it 
shouldn’t  be. 

Lencioni:  Yes.  It’s  easy  to  fall  prey  to  the 
flavor  of  the  day  because  there’s  always  a 
new  product  coming  out.  But  the  first  place 
where  security  is  important  is  in  attitude 
and  behavior.  I  would  take  a  company  with 
a  security  mentality  but  slightly  outdated 
technology  over  one  with  great  technology 
but  not  the  security  attitude. 

Hartmann:  Developing  a  consensus  across 
the  decentralized  organization  is  a  huge 
challenge  for  many  CSOs— 


Lencioni:  First  of  all,  I  think  that  consensus 
on  its  own  is  a  largely  dangerous  concept. 

I  don’t  think  that  it’s  usually  a  good  thing. 
When  it  comes  about  naturally  that’s  won¬ 
derful,  but  generally,  consensus  is  a  way  of 
ensuring  mediocrity.  You  need  conflict,  an 
airing  of  opinions  so  that  the  leader  of  the 
organization  can  make  a  decision  having 
factored  in  all  of  the  various  ideas  and 
opinions  of  all  the  constituencies.  But  the 
leader  should  not  try  to  make  a  decision 
that  pleases  everyone.  Consensus  is  trying 
to  develop  a  decision  that’s  equally  palatable 
to  everyone  or,  often,  equally  unpalatable. 
Consensus  fails  to  meet  anyone’s  desires, 
but  it  does  so  equally,  and  so  it’s  accepted. 
And  that’s  how  we  get  mediocrity. 

Consensus  is  particularly  bad  in  security 
because  nobody  wins  any  award  for  keeping 
his  constituents  happy  if  it  means 
not  delivering  security.  It’s  like,  if  you  wait 
until  there’s  consensus— 

Hartmann:  You’ve  waited  too  long.  Let’s 
swap  the  word  consensus  for  implementing 
standards. 

Lencioni:  Yes.  Somebody  has  to  dictate  the 
final  decision.  And  the  only  way  to  do  that 
is  to  invite  and,  in  fact,  demand  conflict  up 
front.  Waiting  until  later  is  a  way  to  doom 
an  effort.  If  there’s  been  enough  conflict 
constituents  will  accept  that  decision. 

CSO:  So  John,  the  CSO  will  be  that  person 
making  the  final  decision  after  getting  a 
lot  of  conflicting  opinions.  And  conflict  is 
good  here? 

Hartmann:  It  is. 

CSO:  But  that  sounds  like  it  invites  a  new 
management  issue.  There  will  be  people 


who— if  the  final  decision  John  makes  is  not 
to  their  liking— are  going  to  be  put  off  by 
that.  Others  just  don’t  handle  conflict  well. 
Lencioni:  Right.  What  has  to  precede 
conflict  is  the  building  of  trust.  When  people 
trust  that  the  other  people  are  not  trying  to 
be  selfish  or  hurt  someone  else,  then  there’s 
going  to  be  the  ability  to  engage  in  conflict 
without  it  turning  personal  or  vindictive. 
Hartmann:  And  I  think  the  model  that  I’ve 
seen  work  well  before  is  where  you  lay  your 
assumptions  and  your  biases  out  on  the 
table  in  advance. 

Lencioni:  Absolutely.  I  talk  about  vulner¬ 
ability-based  trust.  And  that  means  you’re 
willing  to  say,  OK,  I  clearly  have  this  bias, 
this  experience,  this  self-interest.  Now, 
having  stated  that,  let’s  talk  about  this  and 
make  the  right  decision. 

Hartmann:  I  know  you’ve  written  also 
about  building  teams.  What  advice  can  you 
give  CSOs  who  often  find  themselves  in  a 
decentralized  organization,  drawing  on 
skills  and  opinions  of  folks  from  legal,  from 
human  resources,  from  risk  management 
and  so  forth? 

Lencioni:  In  security,  you’re  dealing  with 
a  matrixed  environment;  you  don’t  have 
hierarchal  authority  over  people.  So  it’s 
critical  that  you  build  trust  up  front.  That’s 
not  going  to  come  through  power  politics; 
it’s  going  to  come  from  collaboration.  Not 
necessarily  consensus  but  collaboration. 
CSO:  Managing  up  with  something  like 
security  is  hard.  The  CEO  maybe  doesn’t 
understand  it.  The  CFO  doesn ’t  necessarily 
want  to  pay for  it.  HR  doesn’t  want  to  recruit 
for  security  because  it’s  expensive.  How 
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can  CSOs  manage  up? 

Lencioni:  In  an  area  like  security,  nothing 
speaks  louder  than  passion.  You  have  to 
believe  it  in  your  gut.  You  have  to  live  it. 

In  security— this  is  probably  true  for  people 
in  the  CIA  or  the  police  department  for  that 
matter— it’s  not  just  a  job.  There’s  a  larger 
purpose  to  this,  and  if  you  get  discouraged 
by  people  who  don’t  get  it,  you’re  not  going 
to  be  successful.  Now,  you  have  to  combine 
that  with  some  emotional  intelligence  so 
that  you’re  presenting  it  in  a  way  that  people 
understand.  But  ultimately,  good  leaders, 
good  CEOs,  are  going  to  understand  that 
passion,  and  you’re  going  to  win  them  over. 

Now,  the  other  thing  you  have  to  have, 
in  addition  to  passion,  is  a  lack  of  fear  of 
losing  your  job.  I  know  that’s  easy  to  say. 

Hartmann:  Along  with  the  passion,  along 
with  the  balancing  between  business  needs 
and  what’s  practical  for  a  corporation  is 
knowing  when  to  make  the  decision  and 
the  ability  to  adjust  your  decision  as  you 
go.  I’d  love  to  see  you  [talk  about  one  of 
the  concepts  from  your  books]:  clarity 
over  certainty. 

Lencioni:  People  in  security  have  to  be 
able  to  make  a  decision  without  perfect 
information.  They  can’t  wait  until  they 
know  all  the  answers,  because  it’s  often 
too  late.  And  they  have  to  do  that  without 
a  fear  of  being  criticized  or  being  wrong 
or,  ultimately,  of  losing  their  job.  Security 
officers  have  to  be  more  independent  in 
the  sense  that  they’re  taking  ownership 
and  responsibility  for  security,  sometimes 
to  an  even  greater  extent  than  the  chief 
executive  or  the  executive  team. 

And  if  they  do  that  honestly,  and  with 
passion  and  without  fear,  and  if  they  can 


make  decisions  without  a  fear  of  being 
wrong— now,  that’s  a  tall  order,  but  that 
is  probably  what’s  required. 

You  know  what’s  interesting  as  I’m  think¬ 
ing  about  this,  John,  if  you  want  to  be  popu¬ 
lar,  you  shouldn’t  be  in  this  field. 

If  you’re  working  to  be  the  chief  security 
officer  so  that  you  can  say,  I’m  in  charge  of 
security  and  I  feel  good  about  that,  it  won’t 
work.  Probably,  if  there’s  one  job  in  the 
company  that  can’t  afford  that— other  than 
the  CEO— it’s  the  CSO.  You’re  only  as  good 
as  your  last  nonevent.  Status  only  detracts 
from  your  attentiveness  and  your  diligence. 

I  want  you  to  have  a  healthy  paranoia, 
which  means  I  want  you  never  to  feel  com¬ 
fortable,  never  feel  complacent  and  never 
feel  particularly  satisfied  with  what  you’ve 
achieved. 

Hartmann:  Patrick,  can  you  talk  a  bit  about 
accomplishing  your  goals  through  others? 
Lencioni:  That’s  a  difficulty  for  a  security 
person.  If  an  executive  says  to  the  head 
of  security,  Listen,  I’d  like  you  to  go  sell 
my  people  on  all  of  this,  I’d  say,  That’s  a 
waste  of  time.  The  CSO  should  say  [to 
the  executive],  I’m  going  to  sell  you,  and 
you’re  going  to  sell  them. 

Hartmann:  That’s  a  good  one.  In  my  opinion, 
companies  that  have  recognized  the  need  for 
a  CSO  have  at  least,  at  some  significant  exec¬ 
utive  level,  some  commitment  to  security. 
Lencioni:  Exactly.  If  you’re  going  to  hire  that 
person,  have  the  courage  to  go  to  people 
and  say,  Don’t  screw  with  him.  If  you  want 
people  to  debate  the  return  on  investment, 
that  debate  needs  to  happen  at  the  executive 
level.  But  if  you  think  they  have  to  keep 
debating  it  down  the  chain,  that’s  crazy. 

And  a  chief  security  officer  needs  to  be 


patient  and  persistent  in  getting  the  execu¬ 
tives  to  figure  it  out.  Once  they  commit,  it 
should  be  a  done  deal. 

CSO:  You  talk  about  collaboration,  having 
a  firm  hand  making  decisions,  simplicity. 

I  can  see  people  rolling  their  eyes  and  saying, 
Teamwork,  blah,  blah,  blah.  A  theme  in  your 
writing  is  that  these  are  just  words  until 
you  apply  brutal  honesty.  Can  you  talk  a 
little  bit  about  bridging  that  gap  from  say¬ 
ing  things  like  teamwork  and  really  creating 
it  through  this  brutal  honesty? 

Lencioni:  Teamwork  is  not  a  virtue;  it’s  a 
choice.  Teamwork  is  something  that  people 
have  to  be  willing  to  sign  up  for.  And  saying 
it  but  not  doing  it  is  worse  that  not  doing  it 
at  all. 

So,  when  people  sign  up  for  it,  they  have 
to  say,  I’m  going  to  build  trust  with 
my  teammates.  I  am  going  to  engage  in 
conflict.  I’m  going  to  commit  to  things.  I 
will  hold  them  accountable  and  let  them 
hold  me  accountable.  And  I  will  focus  on 
results,  not  on  my  own  agenda  or  my  own 
ego.  And  those  are  hard  things  to  do. 

Teamwork  is  actually  a  natural  fit  and 
a  requirement  for  great  security  because 
things  happen  so  quickly,  and  you  have  to 
be  so  on  top  of  things.  The  cost  of  not 
holding  each  other  accountable,  of  not 
committing  to  a  common  solution,  of  not 
trusting  each  other  and  engaging  in  conflict 
is  huge. 

Who’s  best  at  this  brutal  honesty?  The 
military,  fire  departments,  people  who  live 
in  crisis  situations. 

Hartmann:  Your  last  comment,  obviously, 
hits  home.  What  about  CSOs  holding  their 
direct  reports  accountable? 

Lencioni:  So  often  people  don’t  like  to  hold 


THE  COST  OF  NOT  HOLDING  EACH  OTHER 
ACCOUNTABLE,  OF  NOT  COMMITTING  TO  A 
COMMON  SOLUTION,  OF  NOT  TRUSTING  EACH 
OTHER  AND  ENGAGING  IN  CONFLICT  IS  HUGE. 

-PATRICK  LENCIONI 
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others  accountable  because  they  look  back 
and  realize  they  never  really  clarified  what 
they  expected.  They  kind  of  said,  Do  your 
best.  Having  a  really  good  discussion  up 
front  about  what  you  expect  from  people 
both  behaviorally  and  in  terms  of  outcome 
is  a  great  way  to  give  even  the  most  hesitant 
manager  or  leader  the  courage  to  hold 
someone  accountable. 

Hartmann:  Well,  I  guess  it’s  easy  to  hold 
accountable  the  folks  that  work  here  directly 
for  me.  But  when  there  is  a  security  policy  or 
rule  that’s  been  mandated  for  the  company 
and  in  some  remote  part  of  the  world  some 
little  portion  of  the  company  doesn’t  com¬ 
ply,  it’s  much  more  complicated  trying  to 
get  enforcement  or  accountability. 

Lencioni:  The  best  thing  I  can  say  there  is, 
go  back  to  the  executive  team.  I  remember 
once  I  went  to  the  executive  team  and  asked 
for  a  million  dollars  for  the  leadership  and 
management  training,  and  the  company 
said,  “Hey,  Pat,  what’s  the  ROI  on  this?”  I 
said,  “You  know  something,  I  can’t  tell  you 
exactly.  But  you  have  to  understand  in  your 
gut  how  critical  this  is.  So  I’m  going  to  take 
it  right  off  the  table  with  you  guys.”  And  I 
told  them,  “We  have  to  do  this  because  we 
believe  in  management  training.  If  we’re 
waiting  for  a  spreadsheet,  then  we’re 
never  going  to  do  it.” 

CSO:  Was  the  brutal  honesty  and  the 
passion  communicated  to  them? Because 
I  think  that  the  ROI  question  probably  turns 
John’s  stomach  every  time  he  hears  it. 
Hartmann:  Fortunately,  after  four  years  here, 
we’re  kind  of  past  that.  But  I  can  tell  you 
that  early  on  there  was  nothing  but  the  ROI 
question. 

CSO:  And  you  have  to  kind  of  go,  Well,  the 
ROI  is  that  nothing  will  happen. 

Hartmann:  Now,  we  talk  about  what  are 
we  saving  from  a  business  interruption 
standpoint  by  taking  certain  mitigating 
steps— by  looking  at  what  we  may  lose,  as 
opposed  to  what  we’re  going  to  get  back. 
That’s  been  really  successful  for  us. 

CSO:  So,  the  CSO  can  sell  his  results? 
Lencioni:  Yes,  I  think  so.  But  I  think  that’s 
something  probably  that  a  lot  of  people  in 
that  field  aren’t  very  good  at.  Because  the 
nature  of  the  people  that  go  into  it  is 
kind  of  no  nonsense. 


PATRICK  LENCIONI’S 

LESSONS 


THE  JERRY  MAGUIRE 
TENETS:  Fewer  initiatives. 

Less  complication.  Simplicity 
should  rule.  When  making  deci¬ 
sions,  trust  clarity  over  certainty. 

THE  MODIFIED  KINDER¬ 
GARTEN  TENETS:  Collab¬ 
oration  is  good.  Consensus 
is  dangerous.  Share  and  work 
together,  but  don’t  make  decisions 
that  will  placate  everyone. 

THE  SOFT  SKILLS  TENETS: 

Executives  respond  to 
genuine  passion.  Build 
vulnerability-based  trust  by  laying 
out  your  biases  and  limitations  to 
a  team  up  front. 

THE  HUMILITY  TENETS: 

Accept  that  recognition  will 
be  hard  to  come  by.  Tech¬ 
nology  is  less  important  than 
attitude.  Make  decisions  without 
fear  of  losing  your  job. 

Hartmann:  I  would  agree  with  that.  The 
softer  skills,  I  think,  are  the  most  important 
ones.  Having  the  ability  to  communicate  a 
set  of  priorities,  to  pull  together  a  team  of 
people  who  can  give  advice,  and  then  take 
a  decision  and  drive  results,  I  think  that’s 
really  important.  And  I  think  that  some 


of  those  issues  aren’t  well  suited  to  the 
often  black-and-white  thinking  of  security 
professionals. 

Lencioni:  Chief  security  officers  are  in  an 
interesting  situation  in  that  they’re  taught 
not  to  trust,  and  they  have  to  verify  because 
over-trusting  is,  by  definition  in  security,  ill- 
advised.  At  the  same  time,  they  have  to 
develop  trust  with  their  constituents  within 
the  company.  Vulnerability  is  not  an  easy 
thing  for  a  security  person  to  do. 

CSO:  John,  do  you  feel  like  since  9/11  last 
year  your  job  has  changed? 

Hartmann:  Yes.  In  some  ways  the  sales 
piece  of  the  job  has  become  easier.  There’s 
a  recognition  now  that,  gosh,  things  out 
there  in  the  real  world  can  affect  the  way 
our  business  works.  Visibility  has  changed 
slightly. 

Lencioni:  But  things  haven’t  changed  all 
that  much. 

Hartmann:  Right.  The  fundamentals  haven’t 
changed. 

CSO:  That’s  an  interesting  point  because  a 
common  refrain  all  last fall  and  winter  was 
that  everything  has  changed. 

Hartmann:  Everything  has  not  changed. 

We  just  need  to  keep  doing  what  we’ve  been 
doing  a  little  bit  better.  At  our  corporate 
headquarters,  we  used  to  screen  our  visitors 
in  the  lobby.  Now,  we  screen  them  at  the 
guard  gate.  It’s  just  slightly  different.  We’ve 
been  doing  the  same  thing  for  years  at  our 
company,  but  we  just  kind  of  kicked  it  up 
a  notch. 

Lencioni:  It’s  like  being  a  great  parent.  I 
once  met  this  guy  on  the  way  back  from 
Utah  who  had  seven  kids,  and  they  were 
doing  really  well  in  school.  And  I  asked, 
“What’s  the  secret,  sir?”  And  he  said,  “Give 
them  boundaries  and  hold  them  account¬ 
able  to  those.  And  just  tell  them  you  love 
them  forever.”  Those  are  all  very  simple, 
hard  things  to  do.  ■ 

E-mail  Senior  Writer  Scott  Berinato  at  sberinato@cxo.com. 


For  further  discussion  of  security  strategy  and 
management  issues,  read  ENTERPRISE  SECU¬ 
RITY:  AN  ARCHITECTURAL  APPROACH,  a 
CSOonline  analyst  report  from  Robert  Frances 
Group.  Go  to  www.csoonline.com/printlinks. 
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Using  a  behavior-based  approach  to  intrusion  detection,  StealthWatch™  bridges  innovation  in 
security  technology  and  network  management  with  tangible  results.  Once  deployed, 
StealthWatch  prevents  known  and  unknown  external  threats,  as  well  as  misuse  from  within 
the  organization.  With  StealthWatch,  you  can  identify  vulnerabilities  that  contribute  to  lost 
productivity  and  network  downtime. 


Installed  on  the  networks  of  Fortune  1000  organizations  and  government  entities, 
StealthWatch  ensures  that  critical  assets  of  today’s  largest  enterprises  are  protected. 


Request  your  free  White  Paper,  "The  Security  Benefits  of  o  Behavior- Based  Intrusion 
Detection  System ",  at  http://www.lancope.com. 
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A  Little  Chin  Music 

You'll  need  to  learn  to  cover  your  bases  if  you  want  to 
become  an  ace  CSO  By  Anonymous 


HEN  I  WAS  A  KID,  MY  PARENTS 
were  eager  to  attend  our  big  family  reunion  every  year. 

But  for  me,  it  wasn’t  all  fun.  While  it  was  a  good  thing  to 
see  what  new  magic  tricks  Uncle  Chet  could  do  with  his 
false  teeth,  it  also  meant  mandatory  participation  at  the 
dreaded  All  Family  Softball  Game. 

In  hindsight  I  can  see  that  it  was  good  training 
toward  becoming  an  enlightened  CSO.  I  mean,  you  can  get 
fancy  degrees  or  attend  seminars.  But  ultimately,  security  is  about 
understanding  people.  And  you  can  learn  a  lot  about  people  at  an 
annual  softball  game. 

It’s  only  fair  to  ’fess  up  right  from  the  start.  I  suck  at  softball.  I 
can  hit  the  ball  a  country  mile,  but  I’m  too  slow  to  field  it,  too 
inaccurate  to  pitch  it  and  too  uncoordinated  to  outrun  it.  So  you  can 
guess  the  position  to  which  I  was  relegated:  the  catcher. 

Not  that  I  didn’t  suck  at  that  too,  but  at  least  when  Uncle  Ted  was 
playing  umpire,  he’d  help  me  out  by  making  calls  in  my  favor.  And 
therein  lies  my  first  lesson.  As  a  security  executive,  you’ll  soon  dis¬ 
cover  that  support  comes  in  mysterious  ways.  Sometimes  people 
will  help  you,  sometimes  they’ll  help  your  opponents.  Just  because.  In  this 
case,  Uncle  Ted  didn’t  like  much  of  the  family.  His  interests  lie  simply  in  doing 
anything  he  could  to  keep  anyone  from  scoring  a  run. 

And  there  were  other  lessons  too.  I  was  big  for  my  age,  so  running  over  the 
catcher  on  the  way  to  home  base  was  not  a  trivial  exercise.  One  year,  my  Great 
Uncle  John  managed  to  hit  me  with  a  flying  tackle  (let  me  say  politely  that  he  was 
physically  “great”  as  well),  and  the  shot  sent  me  to  the  emergency  room.  Lesson 
two:  Anyone— whether  an  overly  ambitious  coworker  or  a  family  member— may 
run  you  down  like  a  stray  cur  in  the  street  if  they  think  they’ll  win. 

Somehow,  I  reached  the  ripe  old  age  of  10.  By  then  I  thought  I  had  achieved  all 
the  wisdom  that  the  game  of  softball  offered:  that  the  game  is  indeed  a  violent  one. 
Even  when  it’s  played  with  a  dad  who  means  well.  At  the  start  of  that  year’s  game, 
my  dad  assigned  me  to  play  first  base.  A  line  drive  off  the  very  next  pitch  broke  my 
thumb  as  I  tried  desperately  to  catch  the  ball.  Which  brings  me  to  lesson  three:  Even 
if  the  boss  loves  you,  sometimes  he  will  do  things  that  unintentionally  hurt  you. 
A  good  boss  wall  recognize  his  mistakes  and  try  to  remedy  the  problem  (sometimes 
with  proper  medical  help)  so  that  you  can  continue  to  work  for  him. 

I  found  an  excuse  to  miss  the  family  reunion  the  following  year  and  had  a  whole 
year  to  heal.  And  believe  me,  I  needed  it.  But  the  respite  brought  lesson  four:  A 
lull  in  the  action  only  serves  to  soften  you  up  for  the  next  big  blow.  Hacks  happen 
when  you  least  expect  them.  And  even  though  I  know  better,  I  still  get  lulled  into 
complacency  from  time  to  time. 


I  knew  my  dad  was  still  feeling  pretty  guilty  about  the 
incident  two  years  prior  because  he  assured  me  that  I 
didn’t  have  to  play  if  I  didn’t  want  to.  I  didn’t.  No  one  else, 
it  turned  out,  wanted  me  to,  either.  You  see,  sometimes 
when  a  lot  of  bad  things  happen  to  you  (even  though 
they  may  not  be  your  fault),  no  one  wants  to  play  with  you. 
Instead,  I  was  asked  to  retrieve  the  duffel  bag  with  the 
softball  equipment  from  Aunt  Emmy’s  truck  in  the  park¬ 
ing  lot.  Don’t  have  to  play,  I  thought,  just  get  the  stuff. 
Running  with  relief  to  the  truck,  I  was  hit  by  Cousin 
Sherill  in  her  new  car,  who  was  arriving  late.  I 
bounced  into  Aunt  Emmy’s  truck  and  hit  the 
trailer  hitch  with  my  head  on  the  way  down. 
This  time,  I  was  off  to  the  emergency  room  for 
a  fracture  around  my  right  eye. 

Sherill,  to  this  day,  swears  she  never 
hit  me  with  her  car  (even  though  my 
left  hip  had  a  reverse  in¬ 
dentation  of  FORD  on  it). 
Which  brings  me  to 
another  lesson:  If  you’re  a 
good  repeat  customer  with 
emergency  teams,  you  can 
get  better  service  and  quicker 
pain  relief. 

I  am  much  older  now.  I 
hadn’t  been  to  a  family  reunion 
in  more  than  a  decade— until 
this  year.  My  12-year-old  wanted  to  meet  his 
extended  family  and  hear  if  all  the 
stories  about  Dad  were  true. 

And,  sure  enough,  the  much  despised 
family  softball  game  is  still  played.  My  son  is  definitely 
from  my  gene  pool:  We  are  built  for  comfort,  not  for 
speed.  There  was  one  major  difference  between  us 
though:  His  dad  made  him  wear  a  protective  helmet  and 
proper  gear  to  keep  from  getting  scraped  and  bruised.  He 
almost  immediately  got  whacked  in  the  head  by  Chet  Jr. 
Which  brings  us  to  the  final  CSO  lesson:  Just  because  you 
get  hurt  in  your  climb  to  wisdom  doesn’t  mean  that  oth¬ 
ers  have  to  be  hurt  as  badly.  Your  experience  can  help  oth¬ 
ers  following  the  same  tortuous  path  to  enlightenment. 

Many  times  I  see  bright,  young  security  folks  trying 
their  hardest  to  get  the  job  done  well.  Many  times  they 
make  the  same  boneheaded  mistakes  I  made.  If  they’re 
not  too  severe,  it’s  good  to  let  them  get  bonked  in  the 
head  every  once  in  a  while.  But  as  CSO,  you  can  protect 
the  less  experienced  colleagues.  Remember:  Everyone 
needs  a  little  high  cover  from  time  to  time. 

Especially  if  they  are  family.  ■ 

This  column  is  written  anonymously  by  a  real  CSO  at  a  major  corporation. 
To  give  feedback,  e-mail  us  at  csoundercover  ^cxo.com. 
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DSAVVIS 

The  Network  that  Powers  Wall  Street™ 


1-800-SAVVIS-1 
www.  savvis.  net/testimonials 


There  are  some  things  you  just  can’t  take  a  chance  on. .  .and  your  business  data 
communications  is  certainly  one  of  them.  Wherever  you  are,  whatever  time 
it  is,  you  need  to  know  that  your  network  is  there  when  you  need  it. 

Available.  Predictable.  Secure. 

From  Wall  Street  to  Main  Street,  SAVVIS  is  the  financially  sound  choice  for 
people  who  demand  a  proactive  managed  IP  service  provider.  SAVVIS  has 
been  delivering  high  performance  IP  VPN  and  managed  hosting  services  to 
financial  institutions,  professional  services  firms,  and  retail  enterprises  for 
years.  And,  SAVVIS  has  one  of  the  strongest  balance  sheets  in  the  industry. 

Don’t  just  take  our  word  for  it.  Visit  our  web  site  and  discover  what  the  Chicago 
Board  Options  Exchange,  Looksmart,  the  Philadelphia  Stock  Exchange, 

RM  Crowe,  Shearman  &  Sterling,  Fitch  Ratings,  Telezoo  and  so  many  others 
have  to  say  about  working  with  SAVVIS. 


Trust  the  Network  that  Powers  Wall  Street 

to  Empower  your  Business.5 


When  your  business  is  online,  sealed  documents,  signatures  and  handshakes  no  longer  work. 

Let  RSA  Security  bring  authenticity  to  your  e-business. 
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our  attempts  to  protect  computers  and  net¬ 
works.  Mitnick’s  message  is  simple:  Humans 
are  the  weakest  link  in  any  security  system. 
Companies  need  to  spend  more  time  training 
their  employees  on  how  to  resist  such  attacks. 

That’s  all  true— and  not  surprising  to  hear 
from  an  allegedly  reformed  con  man  turned 
security  consultant.  (By  almost  all  accounts, 
it  was  Mitnick’s  ability  to  trick  people,  rather 
than  his  skill  at  computing,  which  made  it 
possible  for  him  to  penetrate  so  many  organ¬ 
izations.)  However,  Mitnick’s  systematic 
downplay  of  technology  and  its  value  in 
defending  sensitive  information  is  yet 
another  act  of  deception— one  that  could  be 
far  more  damaging  than  any  of  his  other 
exploits  to  date. 

Awareness  Isn’t  Everything 

To  be  sure,  many  organizations  need  to  im¬ 
prove  the  security  of  their  “human  factor.” 
Social  engineers  use  internal  phone  numbers, 
knowledge  of  procedures  and  even  industry' 
lingo  to  gain  the  trust  of  their  intended  victims. 

One  Mitnick  anecdote:  The  intrepid  social 
engineer  calls  up  the  network  operations  cen¬ 
ter  of  a  cell  phone  company  during  a  snow¬ 
storm.  After  befriending  the  operators,  he 
asks  them:  “I  left  my  SecurelD  card  on  my 
desk.  Will  you  fetch  it  for  me?”  he  asks.  Of 
course,  the  network  operators  are  too  busy 
to  do  that,  so  they  do  the  next  best  thing: 
They  read  off  the  ever-changing  code  on  their 
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EVIN  MITNICK  IS  THE  MOST  FAMOUS 
computer  hacker  of  our  time.  His  capture  in 
February  1995  by  computer  scientist  Tsu- 
tomu  Shimomura  was  the  subject  of  three 
hugely  popular  books.  Since  his  release  from 
prison  on  Jan.  21, 2000,  Mitnick  has  taken  on 
the  role  of  “reformed  hacker  extraordinaire”— 
a  man  who  seeks  to  undo  the  damage  he  has 


done  by  teaching  corporate  America  how  to 
defend  against  social  engineering  attacks 
(while  making  a  pretty  penny  in  the  process). 

This  month  Mitnick  releases  his  first  book, 
The  Art  of  Deception.  It  is  filled  with  stories  of 
how  an  enterprising  social  engineer  can  out¬ 
smart  office  workers,  circumvent  security 
technology,  and  generally  make  a  mockery  of 
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own  token,  allowing  the  hacker  to  break 
in  and  steal  the  company’s  source  code.  In 
this  example,  the  caller  is  able  to  “prove” 
his  identity  by  telling  the  network  opera¬ 
tors  his  office  number,  the  department 
where  he  worked  and  the  name  of  his 
supervisor— all  information  that  the 
attacker  had  gleaned  from  previous  phone 
calls  to  the  company.  Mitnick’s  message  is 
that  organizations  need  to  treat  phone 
lists,  org  charts,  technical  procedure 
manuals  and  other  information  as  highly 
confidential  in  order  to  protect  themselves 
from  social  engineering  attacks. 

Alas,  trying  to  keep  such  information 
confidential  is  ultimately  a  losing  propo¬ 
sition:  Companies  simply  can’t  assume 
that  this  information  won’t  get  out  to 
competitors,  recruiters  and  potential 
attackers.  If  nothing  else,  employees  are 
sure  to  take  this  information  with  them 
w'hen  they  swatch  jobs.  Years  of  effort 
have  also  shown  the  difficulty  in  training 
people  to  resist  social  engineering 
attacks— these  attacks  are  so  rare  that 
the  troops  just  don’t  get  enough  practice. 

Instead,  companies  need  to  adopt  both 
procedures  and  technology  to  minimize 
the  impact  that  such  confidential  infor¬ 
mation  loss  can  have— and  to  create  sys¬ 
tems  and  organizations  that  are  resistant 
to  social  engineering  attacks. 

For  example,  many  of  the  cons  in  Mit¬ 
nick’s  book  revolve  around  the  theft  of  a 
credit  card  or  Social  Security  number.  In 
one  case,  the  social  engineer  who  pre¬ 
tends  to  be  the  manager  at  one  video  store 
builds  up  a  friendship  over  the  telephone 
with  the  clerk  at  a  sister  store  across  town. 
Then  one  day  the  engineer  calls  up  the 
clerk,  claims  that  his  computer  is  down, 
and  says,  “I’ve  got  a  customer  of  yours 
here  who  wants  to  rent  Godfather  II  and 
doesn’t  have  his  card  with  him....  Could 
you  verily  his  information  for  me?”  Trying 
to  help,  the  befriended  clerk  reveals  the 
target  customer’s  name,  address,  credit 


card  number  and  his  recent  rentals. 

It’s  important  to  teach  clerks  not  to 
reveal  such  information  over  the  phone. 
But  there’s  also  a  technical  solution:  Ter¬ 
minals  and  application  programs  used  by 
customer  service  representatives  should 
never  display  a  customer’s  credit  card 
number.  This  is  not  a  new  idea;  many 
firms,  including  VoiceStream  and  Ama¬ 
zon.com,  have  already  deployed  such 
technology.  These  companies  have  com¬ 
puter  systems  that  keep  customer  credit 
card  numbers  on  file  for  automatically 
billing  future  purchases,  but  the  systems 
will  not  reveal  a  stored  credit  card  num¬ 
ber  to  either  the  customer  or  a  customer 
service  representative. 

Simple  Steps 

Many  of  the  most  ingenious  computer 
hacks  in  The  Art  of  Deception  are  sur¬ 
prisingly  simple:  Time  after  time,  the 
narrator  simply  convinces  an  innocent 
office  worker  to  run  a  remote  control  pro¬ 
gram  such  as  Netbus  or  Back  Orifice  on 
their  office  PC.  Once  the  program  is 
installed,  the  hacker  can  reach  behind 
the  company’s  firewall  and  probe  for  con¬ 
fidential  Microsoft  Word  files,  examine 
e-mail  or  an  appointment  calendar,  or 
whatever.  This  attack  is  particularly  effec¬ 
tive  when  it’s  carried  out  against  some 
high-level  executive’s  secretary. 

A  likely  attack?  Definitely.  But  experi¬ 
ence  has  shown  that  judiciously  used 
technology  can  prevent  clerical  staff  from 
running  the  vast  majority  of  malicious 
software.  Most  hackers  are  incapable  of 
writing  their  own  so-called  Trojans; 
instead,  they  use  malicious  software 
that’s  already  in  circulation— and  that’s 
already  recognized  by  today’s  antivirus 
systems.  Good  antivirus  systems  won’t 
let  a  Trojan  be  downloaded  over  the  Web 
or  by  e-mail,  they  won’t  let  it  be  copied 
onto  a  user’s  hard  drive  from  a  floppy, 
and  if  the  software  is  downloaded,  the 


Perhaps  you  can’t  prevent  an 
employee  from  e-mailing  a  critical  file  to  a 
spy,  but  you  don’t  have  to  keep  yourself  in 
tne  dark  about  it. 


Appliances 

Galore 

What’s  more  convenient  than  your  toaster?  Plug  it  in, 
chuck  in  some  bread,  push  the  button,  and  you  get 
toast.  That  simplicity,  of  course,  is  what  vendors  hope 
to  call  to  mind  by  labeling  their  security  products 
"appliances.”  E-mail,  antivirus,  firewalls— you  name 
it  and  somebody  is  pushing  a  piece  of  hardware  that 
promises  both  high  performance  and  no-hassle  setup. 
And  although  they  may  not  all  be  as  easy  to  use  as  a 
toaster,  Peter  Lindstrom,  director  of  security  strate¬ 
gies  at  the  Hurwitz  Group,  says  the  appliance  hype 
is  generally  good  news.  “It’s  an  indicator  that  some 
of  these  product  markets  are  maturing,”  he  says, 
although  he  points  to  the  Web  services  area  as  an 
exception— an  immature  technology  where  the  word 
appliance  is  nonetheless  being  bandied  about. 

Here  are  just  a  few  of  the  latest  round  of  security 
appliances. 

Antivirus  Box 

Antivirus  appliances  have  been  around  for  a  relatively 
long  time.  Celestix  Networks  hopes  to  push  the  state 
of  the  art  in  terms  of  simplicity  with  the  Taurus 
Anti-Virus  F1400,  which  is  a  box  about  the  size 
of  a  computer  speaker  with  an 
LCD  panel  for  ultrasimple  con¬ 
figuration  and  installation. 

According  to  Celestix’s  press 
material,  “even  nontechies  can 
have  entirely  secure  Internet 
and  e-mail  access  in  about  15 
minutes.”  The  unit  is  preloaded 
with  software  from  F-Secure 
and  screens  traffic  before  it 
reaches  the  firewall. 
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antivirus  won’t  let  it  run. 

A  more  radical  technical  solution,  of 
course,  is  simply  to  avoid  running  Micro¬ 
soft  products.  Although  Mitnick  never 
says  so,  social  engineers,  virus  writers  and 
computer  attackers  of  all  stripes  have  ben¬ 
efited  immeasurably  by  the  computational 
monoculture  that  much  of  corporate 
America  has  created  on  the  desktop.  Com¬ 
panies  with  Macs  or  Linux  on  the  desktop 
simply  don’t  have  problems  with  viruses 
and  other  hostile  code  that  haunt  most 
Microsoft  shops. 

Most  companies  don’t  know  when 
they’ve  been  hacked.  It’s  all  too  easy  for  a 
social  engineer  to  erase  a  log  file  or  have 
an  employee  unwittingly  e-mail  a  file  to 
a  “drop  dead”  mailbox  somewhere  out¬ 
side  the  country.  Again,  this  is  a  job  for 
technology:  For  a  few  hundred  dollars 
most  companies  can  deploy  log  servers— 
special  computers  that  receive  and  record 
log  events  from  elsewhere  on  your  net¬ 
work  but  don’t  allow  any  remote  access. 
Firewalls  can  be  configured  to  log  all  files 
that  are  transferred  in  or  out  of  an  organ¬ 
ization.  Perhaps  you  can’t  prevent  an 
employee  from  e-mailing  a  critical  file  to 
a  spy,  but  you  don’t  have  to  keep  yourself 
in  the  dark  about  it. 

Don’t  get  me  wrong:  Lectures,  training 
sessions  and  awareness  briefings  all  have 


exceedingly  vulnerable  to  attacks;  for  this 
reason,  new  employees  should  receive 
several  social  engineering  attacks  during 
their  probationary  period,  and  then  on  a 
regular  basis  throughout  their  career. 

Fact  or  Fiction? 

It’s  easy  to  imagine  that  many  CSOs  will 
be  turned  off  by  the  thought  of  purchas¬ 
ing  a  book  from  a  convicted  computer 
criminal.  Certainly  it’s  not  good  for  soci¬ 
ety  when  criminal  hackers  are  rewarded 
for  their  misdeeds. 

As  it  turns  out,  the  courts  agree.  Mit¬ 
nick,  under  the  terms  of  his  court-super- 
vised  release,  is  prohibited  from  selling 
his  story  until  2010.  That’s  why  the  anec¬ 
dotes  in  The  Art  of  Deception  are  all  told 
through  the  veil  of  fiction.  Each  con  artist 
and  victim  is  given  a  made-up  name,  his¬ 
tory,  motivation  and  so  on.  While  this 
artifice  results  in  a  book  that  is  unfocused 
and  frequently  repetitive,  there  are  occa¬ 
sional  gems  contained  within  the  book’s 
covers— such  as  when  Mitnick  explains 
how  Caller  ID  can  be  forged,  and  why  it 
is  so  important  to  protect  backup  tapes. 

In  a  way,  it’s  too  bad  that  The  Art  of 
Deception  doesn’t  tell  Mitnick’s  story.  In 
my  opinion,  much  of  what  has  been  said 
about  Mitnick  over  the  years  has  been 
bald-faced  lies  by  government  officials 


The  best  way  to  teach  employees 
techniques  for  resisting  social  engineering 
is  to  repeatedly  hit  them  with  mock  social 
engineering  attacks. 


their  place.  But  they  only  go  so  far.  Prob¬ 
ably  the  best  way  to  teach  employees  tech¬ 
niques  for  resisting  social  engineering  is  to 
repeatedly  hit  them  with  actual  social 
engineering  attacks.  That  is,  CSOs  should 
“penetration  test”  employees,  the  same 
way  we  penetration  test  servers,  firewalls 
and  telecommunications  systems. 

All  companies  should  have  a  policy  of 
reporting  attempted  social  engineering 
incidents  to  the  corporate  security  group. 
Companies  should  then  randomly  call 
employees,  attempt  to  hack  them  and  see 
what  gets  reported.  New  employees  are 


and  others— smear  jobs  that  had  the  side 
effect  of  increasing  budgets  for  cyber¬ 
crime  fighters.  Mitnick  is  in  fact  a  person 
whose  story  deserves  to  be  told.  On  the 
other  hand,  there  is  a  big  difference 
between  reading  a  reformed  hacker’s 
words  and  hiring  one  to  audit  your  inter¬ 
nal  systems.  Read  what  Mitnick  has  to 
say,  but  keep  him  and  his  like  away  from 
your  keyboards.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enter¬ 
prises,  an  information  warfare  software  company. 


Multifunction 

Platform 

Crossbeam  calls  its  X40S  an  “open  security  appli¬ 
ance”  into  which  users  can  plug  up  to  10  hardware 
modules  running  various  applications,  including 
antivirus,  intrusion  detection  and  firewall,  from  other 
vendors.  For  race  car  performance,  users— wealthy 
ones,  anyway-can  load  up  each  module  with  2GHz- 
plus  Intel  processors  and  4GB  of  memory.  Starting 
at  $55,000  for  more  basic  configurations,  this  is  not 
cheap  stuff.  On  the  other  hand,  though,  anyone  cur¬ 
rently  running  each  of  these  applications  on  a  sepa¬ 
rate  server  might  quickly  see  some  cost  efficiency. 

Although  some  of  the  details  vary,  Lindstrom  says 
other  vendors,  including  Symantec  with  its  Gateway 
Security  line,  offer  similar  products  that  consolidate 
multiple  security  functions  onto  a  single  hardware 
platform. 


Sensors 

NetBotz  makes  appliances  of 
a  different  ilk.  Mount  one  of  its 
small  boxes  in  a  server  room 
or  wiring  closet  and  you  can 
remotely  monitor  temperature, 
motion,  vibration  or  a  number  of  other  physical 
conditions  (depending  on  which  sensors  you  attach) 
that  could  potentially  knock  out  your  servers  or  other 
critical  equipment.  All  NetBotz  units  have  a  standard 
Ethernet  network  jack  and  feed  data  and  video  back 
to  a  central  Web-browser  display.  The  company's 
president  and  CEO,  Tom  Goldman,  offers  up  a  case 
study  of  a  customer  who  saved  $400,000  in  network 
equipment  because  NetBotz  alerted  him  to  high 
humidity  conditions  in  a  data  center.  The  mere  pres¬ 
ence  of  a  Web-connected  camera,  in  fact,  can  offer 
some  payback;  the  same  client  reported  that  theft  of 
power  supplies— an  intermittent  annoyance  prior  to 
the  NetBotz  installation-stopped  altogether. 

Refreshingly,  Goldman  doesn't  even  claim  the 
units  incorporate  much  advanced  technology 
(although  he  adds  that  lots  of  gee-whiz  stuff  is  under 
development  in  the  company  labs).  For  true  appli¬ 
ances,  after  all,  the  simplicity  is  the  selling  point. 

-Derek  Slater 
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Beyond  the  Perimeter: 

New  Challenges  in 
Application  Security 


Ifs  not  just  a  seminar 


vi§». 


Its  a  wake  up  call 


,,  few; 


The  New  Best  Practices  in  Designing  Developing  &  Deploying  Secure  Applications 

Increasingly  sophisticated  attacks 


are  transcending  network  security, 
targeting  vital  corporate  applica¬ 
tions.  How  do  you  respond? 

If  you're  a  senior  technology 
professional  responsible  for  the  design, 
development  or  deployment  of  secure  appli¬ 
cations,  this  free  event  is  for  you.  Come  hear 
experts  from  major  corporations  as  well  as 
thought  leaders  from  top  security  services 
and  solutions  firms. 

For  more  information  and  to  register, 
go  to  atstake.com/wakeup 


Topics  include: 

»  Risk  reduction  strategies 
»  New  best  practices 
»  Return  on  Security  Investment 
»  More... 

Speakers  from: 

»  @stake,  Inc. 

»  McKesson  Information  Solutions 
»  OKENA,  Inc. 

»  Oracle  Corporation 
»  Research  in  Motion  (RIM) 

»  Sanctum,  Inc. 


Locations  And  Dates 


Atlanta 

10/3 

Rirsippany 

10/23 

Boston 

10/16  &  10/22 

Raleigh/Durham 

10/2 

Chicago 

10/10 

San  Francisco 

10/29 

Dallas 

10/9 

San  Jose 

10/30 

Denver 

10/8 

Seattle 

10/31 

New  York 

10/24 

Washington,  D.C. 

10/1 

. •" . 

. 

■ 

1 "  * •*-*  ,* •.  **•.  ***•  >  - 

Register  Now!  Go  to 

atstake.com/wakeup 
or  call  1-866-621-3500, 


|  Co-sponsored  by: 


cso 

THE  RESOURCE  FOR  SECURITY  EXECUTIVES 
CSOonline.com 


SANCTUM 


•©stake  and  Where  Securtiy  &  Business  Intersect  are  registered  trademarks  of  ©stake,  Inc.  OKENA  is  a  trademark  of  OKENA,  Inc.  Sanctum  is  a  trademark  of 
Sanctum,  Inc.  Other  products  and  company  names  are  trademarks  or  registered  trademarks  of  their  respective  holders. 


Presented  by: 


■  I 

m  stake 

Where  Security  &  Business  Intersect® 


Graham  Cluley,  an  English  bloke  with  a 
disturbing  amount  of  knowledge  about  com¬ 
puter  viruses,  thinks  maybe  we've  stopped 
evolving.  As  senior  technology  consultant  at 
Sophos  Antivirus  in  Abingdon,  England, 
Cluley  says  users  are  still  unable  to  resist 
opening  attachments,  and  administrators 
still  fail  to  patch  vulnerable  systems.  This 
after  they've  been  warned  and  trained  and 
begged  and  pleaded  with  to  make  their  net¬ 
work  safer.  Then  again,  what  does  he  care? 
Our  failings  are  his  revenue.  CSO  waxed  viral 
with  Cluley,  who  turns  out  to  be  the  most 
eager  and  pleasant  calamity  howler  in  the 
world. 

CSO:  A  couple  of  years  ago  we  were  warned 
that  our  PDAs  and  cell  phones  would  be 
spreading  viruses  like  mad.  Nothing  hap¬ 
pened.  Were  you  guys  just  drumming  up 
business? 

Cluley:  It’s  now  over  two  years  since  the  first 
PDA  virus  was  discovered,  and  it’s  exacted  no 
damage.  But  worried  people  still  call  us  about 
this.  The  biggest  security  problem  with  PDAs 
and  cell  phones  seems  to  be  losing  them. 

You’ve  used  the  phrase  “a  cocktail  approach 
to  viruses.”  Does  that  mean  using  “I  was  at 
the  pub"  as  an  excuse  when  a  virus  hits? 

What  it  means  is  that  virus  writers  are  com¬ 
bining  all  the  techniques  they’ve  used  in  pre¬ 
vious  viruses  to  spread  the  attacks  as  fast  as 
possible.  Take  Nimda,  for  example.  It  uses  a 
double  click  on  an  attachment  but  will  also 
automatically  launch  if  you’re  not  patched 
against  that.  Then  it  spreads  via  network 
shares,  looking  for  other  computers  on  the 
network  to  infect.  Then  it  looks  for  vulnera¬ 
ble  IIS  Web  servers.  Then  it  changes  the 


content  of  those  Web  servers  so  that  when 
you  go  to  browse  them  with  unpatched 
browsers,  it  will  infect  or  reinfect  you. 

So,  patch  your  systems. 

The  depressing  thing  is  that  we  don’t  seem 
to  be  learning  from  our  mistakes.  We’ve  still 
got  that  Pavlov's  dog  reaction  to  attach¬ 
ments.  Even  when  all  the  signs  are  danger¬ 
ous,  if  it  says  “Drink  me,”  we  drink. 

Best  virus  story  ever? 

We  had  a  girl  who  called— frantic— who  said 
she  had  been  using  her  boyfriend’s  com¬ 
puter.  She  found  all  sorts  of  e-mails  sent 
between  her  boyfriend  and  her  best  girl¬ 
friend.  The  e-mails  clearly  indicated  they 
were  having  an  affair.  She  confronted  them, 
and  they  denied  everything,  saying  it  was  a 
computer  virus  that  made  it  look  like  e-mails 
passed  between  them. 


What’s  the  impetus  for  antivirus  companies 
to  fix  the  problem?  It’s  guaranteed  business. 

It’s  like  saying  to  doctors,  "What’s  your 
reason  for  making  people  feel  better?”  We 
sometimes  get  little  old  ladies  calling  up 
who  no  longer  use  their  computer  to  talk  to 
the  grandkids  because  of  a  bad  virus  experi¬ 
ence.  I  don’t  want  that  on  my  shoulders. 

How  many  times  in  the  past  year  have  you 
said,  “Don’t  double  click  on  unsolicited 
attachments?” 

On  average,  about  38  times  a  day.  [13,870 
times  a  year.]  The  other  phrase  I  find  my¬ 
self  repeating  is  “This  virus  is  not  the  end 
of  the  world  as  we  know  it.” 

And  no  one  listens,  which  is  good  for 
business. 

It  can  be  frustrating,  but  if  we  help  only  one 
person,  then  we  are  better  off  than  we  were 
at  breakfast. 

Can  we  ever  get  the  male  computer-using 
population  to  believe  that  there  are  no  naked 
pictures  of  Anna  Kournikova  out  there? 

There’s  a  very  simple  rule  that  all  computer 
users  should  and  could  adopt:  Don’t  believe 
anything  any  e-mail  says  from  anyone,  ever. 
If  you  adopt  that  rule,  I  can  almost  guarantee 
you  won’t  get  infected.  Of  course,  you  might 
not  go  very  far  in  your  job. 

Which  is  worse,  a  virus  or  spam? 

Personally  I  find  spam  much  worse.  I 
don’t  need  Viagra,  really!  I  don’t  need  to 
enlarge  my  chest  size.  Spam  makes  my 
life  miserable  every  day. 

The  words  you  say  are  cynical  and 
pessimistic,  but  you  sound  happy. 

[Editor:  The  following  is  spoken  cheerfully.] 

It  never  fails  to  amaze  me  just  how  dumb  we 
are  in  general.  Just  terribly  unsophisticated. 

In  many  ways,  we’ve  barely  stood  upright  in 
terms  of  evolution. 

Fess  up.  You’ve  been  infected  by  a  virus  in 
the  past  year. 

No.  Not  even  a  sore  throat.  Seriously,  I've 
never  been  infected.  Even  when  I  was  a 
student.  Really,  I  haven't.  I’m  disappointed 
at  how  few  viruses  I  get.  I  must  not  be  in 
many  Outlook  address  books.  ■ 
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ILLUSTRATION  BY  PATRICK  MEREWETHER 


Interact  Security 


I 


Wliy  should  you  look 
at  a  secure  managed 
hosting  solution? 

.  A  recent  FBI  survey  showed  that 
90%  of  respondents  reported  security 
breaches  during  the  past  twelve 
months.  The  cost  to  American 
business  exceeded  $260  billion  a  year. 

ServerVault  is  the  number  one 
secure  managed  hosting  company 
in  the  world.  Our  systems  were 
constructed  by  the  people  who 
advised  the  Pentagon  on  network 


security.  Our  facilities  meet  Department 
of  Defense  SCIF  standards  and  we’re 
the  only  ones  who  can  say  that. 

We  provide  custom 
solutions  backed  by 
unbeatable  customer 
service: 

♦  Secured  Managed  Hosting 

♦  Disaster  Recovery  and  Backup 

♦  Connecting  Closed-User 

Communities 

♦  Storage  Solutions 

♦  Secure  Email  Solutions 


Check  Mate! 

Contact  us,  to  win  the  game,  at 
1-877-78- VAULT  or  visit  our  website 

at  www.servervault.com 


server 

vault; 


PLAN  YOUR  NEXT  MOVE! 


IM 


ServerVault  is  a  wholly-owned  affiliate  of  Western 
&  Southern  Financial  Group 


Jack  Henry  &  Associates  is  VigilEnt  with  PentaSafe. 


VigilEnt 

Integrated 

Security 

Management 


k  Intrusion 

Vulnerability  j 

^  Management 

Management  J 
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PENTASAFE  SOLUTIONS 


As  General  Manager  of  Electronic  Services  at 
Jack  Henry  &  Associates,  I'm  responsible  for 
the  data  processing  of  hundreds  of  banks  and 
financial  institutions  nationwide.  Our  business 
and  our  clients  demand  the  highest  security 
standards.  Since  1999,  we've  relied  on 
PentaSafe's  VigilEnt  software  to  help  us  secure 
millions  of  transactions  everyday. 

See  for  yourself  how  PentaSafe  security 
solutions  can  help  you  become  more  vigilant 
in  managing  security  across  your  enterprise. 


Want  to  find  out  more  about 
PentaSafe's  VigilEnt  Integrated 
Security  Management  Solutions? 

Go  to  www.pentasafe.com  to: 

■  Register  for  an  Executive  Security  Briefing, 
featuring  Gartner  Group's  John  Pescatore. 

■  Download  our  free  "Integrated  Security 
Management"  whitepaper 

<T!j 

PentaSafe 

The  safest  way  to  grow  your  business. 


